Ask the Doctors: Hacking into medical devices is theoretical possibility

Dear Doctor: As a fan of the TV show “Homeland,” I was skeptical (and also creeped out) when a character was assassinated by someone hacking his pacemaker. But I just read that this might actually be possible. My dad has a pacemaker, and now I’m worried. Is this really a serious risk?

Dear Reader: We remember when that scene aired and the resulting stir that it caused, and we admit that we share your discomfort. The idea that an unseen individual can take control of a medical device in someone else’s body is profoundly disturbing. And while it would be great to be able to brush it all off as the product of a TV writer’s overheated imagination, the possibility of such hacking, while remote, does exist.

A paper recently published in the Journal of the American College of Cardiology tackled this very subject, which is perhaps how it came to your attention. The authors point out that, in a world increasingly dependent on (and connected by) online technology, it’s not only pacemakers that are vulnerable. Defibrillators, neurostimulators and implantable drug pumps, like insulin pumps, rely on the same embedded computers and software radios for their two-way communication. Their findings are that weak security features have left these devices potentially vulnerable to outside manipulation.

The possibility of this type of interference first arose about a decade ago. That’s when technological advances made it possible to program and communicate with a pacemaker wirelessly. Up until that time, a patient had to visit the cardiologist’s office for the doctor to collect data from the device, and to deliver any updates. As soon as things went wireless, that meant there was software involved. And the nature of software, as we see every day, is that it can be hacked. In addition to concerns about attacks on the functioning of various implanted medical devices, experts warn that the highly sensitive data those devices collect from patients and send out to health care providers can be compromised as well.

The Food and Drug Administration and the Department of Homeland Security have both become involved in the issue. The FDA has published a cybersecurity update on its website and outlined the steps it is taking to protect the public. Earlier this year, DHS put out an advisory regarding potential vulnerabilities in a certain cardiac device, which caused the company to evaluate and address the issue.

Unfortunately, the only foolproof fix to reduce the risk of hacking is to ditch the wireless technology. But considering the many benefits of remote access, which facilitates software updates, allows real-time monitoring and can deliver updates to treatment protocols without the physician physically present, it’s realistic to expect that wireless tech is here to stay.

In addition to addressing the vulnerabilities in wireless medical technologies, the lead author has been careful to state, both in the paper and in subsequent media interviews, that the risk of such hacking remains theoretical. Here in the real world, at this point in time, there have been no documented cases of implantable cardiac devices being hacked.

Eve Glazier, M.D., MBA, is an internist and assistant professor of medicine at UCLA Health. Elizabeth Ko, M.D., is an internist and primary care physician at UCLA Health.