HRS: Here’s How to Talk About Cybersecurity Concerns and Implantable Devices

Patients don’t expect clinicians to be cybersecurity experts, but clinicians do have a critical role to play nonetheless, David Slotwiner says.

BOSTON, MA—No patients are known to have been harmed through exploitation of a vulnerability in an implanted device. But cybersecurity concerns are not hypothetical, and clinicians have an important role to play in guiding patients through those issues, according to the Heart Rhythm Society (HRS).

Highlighted by recent firmware updates provided by Abbott for some of its implantable cardioverter-defibrillators and cardiac resynchronization therapy defibrillators and a new action plan from the US Food and Drug Administration (FDA), the issue of cybersecurity as it relates to medical devices has grown in importance in recent years.

Though medical societies often need to communicate with their members about device recalls and other topics, while coordinating with messages coming from manufacturers and the FDA, issues surrounding cybersecurity tend to be a bit trickier, and clinicians may not feel well prepared to have those discussions with patients, David Slotwiner, MD (NewYork-Presbyterian Queens and Weill Cornell Medical College, New York, NY), chair of the health policy committee for HRS, told TCTMD.

“Patients recognize that clinicians are not cybersecurity experts, and they don’t expect us to be, but they do expect and need their clinician to help interpret the information coming from FDA or the manufacturer and personalize it to their individual condition,” Slotwiner said. “So clinicians have a critical role and I do want them to recognize that.”

There will likely be a growing need for such discussions in the future, “and we suspected that clinicians needed some guidance on their role in this process and guidance on how to talk to patients about this,” Slotwiner said.

I think as long as the medical community, industry, regulatory agencies, medical societies, and physicians recognize that this is a concern . . . and are all focused on . . . doing the right thing to minimize these risks, I think the risk is small.David Slotwiner

To that end, HRS convened a summit last year that included representatives from the FDA, the Federal Bureau of Investigation, and the Department of Homeland Security (DHS); subject matter experts; five cardiac implantable electronic device (CIED) manufacturers; leaders from HRS and the American College of Cardiology; and patient representatives.

Out of that effort came a document—discussed at the HRS 2018 Scientific Sessions last week and published simultaneously online in Heart Rhythm—containing communications strategies for clinicians to use when discussing cybersecurity with their patients.

“We want the clinical arena to know that there is a very robust mechanism in place out there for evaluating cybersecurity threats, and I don’t think that’s well understood,” Slotwiner said. Most vulnerabilities are discovered by cybersecurity researchers, who pass the information to a group within the DHS. There, the potential threats are validated and then conveyed to the FDA and manufacturers if a resolution is needed. Sometimes, however, “malicious actors” will bypass that chain and release news of a vulnerability directly to the public, where the information can cause confusion and fear while experts determine the significance, Slotwiner said.

“We want patients to understand that having an implantable medical device is in some ways like having a smartphone or any other computer, this one’s just implanted in you, and like those other computers it will need software updates intermittently throughout the life cycle,” he said. “We recommend that clinicians discuss this with patients even before implant because we think setting the expectation upfront will minimize fear in the event that there is a threat that’s released and also help them understand the need for the in-person follow-up as well as the remote.”

That discussion should include six key components, according to the new guidance:

  • What can happen if a vulnerability is exploited
  • How to minimize risk of being exploited
  • The technical feasibility of exploiting a vulnerability (“Usually, these are very difficult to exploit and it’s more of a theoretical risk than an actual risk,” Slotwiner said)
  • Long-term fixes for the vulnerability, usually through a firmware update
  • Possible risks associated with software/firmware updates
  • Weighing the benefits of the device versus the risks associated with the vulnerability

To that last point, Slotwiner said: “We don’t want patients rejecting these therapies out of fear because almost always the benefits are, if they’re not life-sustaining they’re close to it, so we want them to understand the benefits of the therapy compared with the risk of the vulnerability and potential threat, which is usually very, very small.”

There have been no known cases of patients being harmed through exploitation of a vulnerability in an implanted device, he said. “But it is completely possible to hack any device. It’s just a matter of how much time and resources somebody wants to spend,” he added. “And so I think as long as the medical community, industry, regulatory agencies, medical societies, and physicians recognize that this is a concern—and it’s throughout the whole healthcare enterprise—and are all focused on . . . doing the right thing to minimize these risks, I think the risk is small.”

Todd Neale is the Associate News Editor for TCTMD and a Senior Medical Journalist. He got his start in journalism at …

Read Full Bio
Disclosures
  • Slotwiner reports no relevant conflicts of interest.

Comments