It is a provident and good thing that I was such a workaholic in 2012 that I was too distracted to watch much television. I never found the time to watch the popular series Homeland. Why is it a provident and good thing that I never turned on a show that many people would never miss or would Tivo? Because according to a December 6, 2012 article I found on the Forbes Magazine website, the character of the Vice President in this fictional series “is assassinated by a group of terrorists that have hacked into the pacemaker controlling his heart. In an elaborate plot, they obtain the device’s unique identification number. They then are able to remotely take control and administer large electrical shocks, bringing on a fatal heart attack.”
According to the website of the American Congenital Heart Association, the episode certainly resulted in some increased patient phone call volume in physician’s offices at the time, with people asking, “Can my pacemaker be hacked?” But you’re saying to yourself “this is just fiction, right?” Well, according to the website for Engadget, Dick Cheney had been warned his defibrillator could be used to assassinate him. I have said this before in blog posts and now I say it again: YIKES!!!!!
The Homeland episode apparently aired during the same time frame that I blacked out and fell off the treadmill. But I didn’t have a pacemaker device at the time so I am confident that there was no way that a hacker could have caused my unfortunate treadmill incident. It wasn’t until March 2013 that I learned I needed a pacemaker. But can you imagine the anxiety that would have gripped my heart if I had seen a show (even fictional) where a character was slain through the hacking of a pacemaker device?
You’re probably saying, geez Melanie, give it a rest! Stop worrying over things that are not likely to happen to you. Well, let’s look into this a little further. Is death or injury by heart device hacking fact or fiction for anyone other than the Vice President? According to that same Forbes magazine article: “Yes (although the part about the attacker being halfway across the world is questionable). For years, researchers have been exposing enormous vulnerabilities in internet-connected implanted medical devices.” Additionally, the website for Engadget indicated that in August of 2017, the FDA recalled almost a half a million devices due to hacking concerns.
Do not be too concerned – I am not calling up my electrophysiologist to request that he schedule surgery to remove the device. I remember in vivid detail what it felt like when my heart was not paced on regular basis. Without this device, on a scale of 1 – 10, I feel like I would be operating at a minus 4. Plus, my current heart device has a defibrillator. This is because I am at risk for cardiac arrest. So having the device and being hacked or not having the device and going into cardiac arrest – I guess it’s a crapshoot either way. I’ll put my money on the device.
According to the St. Jude Medical website, when the heart devices were recalled, there was a firmware update that could be installed without having to remove the device from the patient’s body. So while the risk exists, it appears that the fix is not one that would be onerous.
It helps me put the risk in perspective when I hear that the hacking risks had been researched for at least a few years before the 2012 Homeland episode. There is an article called “Heart-Stopper: Could Hackers Hit Pacemakers, Other Medical Implants?” on the website Scientific American. This March 14, 2008 article discussed the challenges in trying to make a variety of implanted devices hack-proof. It said “Protecting implanted medical aids is tricky because manufacturers must avoid security measures that could cause the devices' batteries to run down or otherwise impede their lifesaving functions. The researchers propose that makers incorporate "zero-power" defenses into future designs, such as radio-frequency identification tags that create vibrations or audibly alert the patient of possible tampering without sapping battery power.”
The article once again confirms that this threat is real and not just one manufactured in Hollywood. But what I also take away from this article is that the doctors and researchers recognize that care must be taken to protect devices without causing the devices to be less effective. So the heart doctors and medical companies continue to be there for heart patients.
The American College of Cardiology published a study in February 2018 called Cybersecurity For CIEDs: What Should You Know?” CIED stands for cardiovascular implantable electronic devices. The teaser for this article says that: “The potential for hacking cardiovascular implantable electronic devices (CIEDs) such as pacemakers and defibrillators may be a growing problem for patients and health care providers…”
So does this cause me to panic? Nope – not yet. The word potential says to me that the record of documented instances of harm to patients due to hacking is not yet significant. I looked at the words that are synonyms for the word potential and saw “hypothetical”. As a lawyer, I worked with hypothetical issues for my entire career. No one thinks of lawyer work as risk management, but it really is. I helped the people I advised think of all the hypothetical contingencies that could occur. Then together we would come up with legal and practical solutions to handle those contingencies. So I am really comfortable with the fact that medical experts on ICD devices are figuring out what possible risk there is to hacking in the internet age.
When I got my first pacemaker, I was thrilled to have a device that can be easily and continually monitored by a team of people who are at a remote location. So let me state again, that I don’t want someone to pull out the current ICD in my body and put in an older version that isn’t monitored on line because it is probably not as effective for the purpose of maintaining heart functions.
What does the article say the hackers might possibly do? Well they could manipulate normal interactions such by deactivating features; delaying, interfering or interrupting communications; and altering programming. Here are some examples of how that might work: In pacemakers, patient safety issues can come from over-sensing or sudden battery depletion. Just like other causes of electromagnetic interference, the detection of signals of non-cardiac origin may prevent pacing, causing for prolonged periods of asystole with the risk of syncope or sudden death.
Let’s explore these three possible outcomes that can occur if pacing is disrupted. So let’s start with syncope. If you have seen my other posts, you may remember several that discussed the very melodic and deceptive word “syncope”. It sounds like the patient is just very musically coordinated. Instead, it means that the patient is losing consciousness at the drop of a hat.
I was not familiar with the term “asystole” so I had to look it up. According to the American Heart Association, asystole is a life-threatening heart rhythm characterized by an absence of electrical activity. Because there is no electrical activity, there is no heartbeat. This condition can lead to death if it's not treated and reversed immediately. The third outcome, sudden death, is not one I would like to explore any time soon. Of all the outcomes, syncope is the least daunting, but still, I would prefer that my ICD continues to pace like it normally does.
The article recommends that the medical industry needs to do more pre- and post-market testing, and might want to consider protective software that would be embedded in each ICD. Also, the article suggests patient education and shared decision-making. All of these sound like good options to me, especially if implemented as a package deal.
So where does hacking stack up in the list of things to worry about? I liked the conclusion from the article that was on the Scientific American website. It noted that it is important to not scare patients, as such mischief is unlikely at this point. But the article also noted that it is important to keep on top of the issue, given the potential for trouble. The article recommends that computer and security development should be brought into the realm of medical devices.
But perhaps the following statement from the Electrophysiology Section Council of the American Heart Association provided me the comfort: “While it is important to stay alert, the Council states that no enhanced monitoring or elective device replacement is necessary at this point, and there is currently no evidence that a CIED can be reprogrammed.” Also on a happy note, the research that I have covered in this post is fairly recent. Because things in the world of IT can change so quickly, it is reassuring to learn that the research relative to anti-hacking efforts is proceeding apace!
But I feel most comforted by the fact that I have no plans to ever be on a party ticket as a candidate for the position of Vice President of United States. Therefore, I suspect that I am not a viable victim for those who would hack heart devices. And for this fact, I am abundantly grateful.
Melanie discovered that she had heart failure in 2013. Since that time, she has been learning how to live with the condition, and how to achieve balance and personal growth.