Hacking Is a Risk for Pacemakers. So Is the Fix

A new software patch to fix a cybersecurity weakness in hundreds of thousands of implanted heart devices has raised a dilemma among doctors and patients: Is the fix worth the risk?

The software update that Abbott Laboratories released in late August is supposed to reduce the risk that someone with malicious intent could gain unauthorized remote access to a patient's pacemaker. Abbott issued the update after outside security researchers identified vulnerabilities in the devices.

But Abbott has said the update itself -- administered in a doctor's office or hospital -- carries a slight risk of causing a malfunction in the pacemakers, which are implanted in patients' chests to correct abnormal heart rhythms.

The dilemma underscores the limits of technology as medical devices increasingly are connected to the internet. The connections help doctors remotely catch problems that might otherwise go undetected -- such as irregular heart rhythm or dwindling battery life -- but they theoretically can expose devices to hackers. And yet, when companies offer fixes, the decision to adopt them isn't easy.

There are no known reports of patients being harmed by hacking of the pacemakers, according to the U.S. Food and Drug Administration. A hacker would have to be within close proximity to a person to gain unauthorized access, said Mike Kijewski, chief executive of MedCrypt, a device-security firm.

Since Abbott released the software update, the FDA has received at least 12 reports claiming malfunctions of pacemakers during the updates, according to a review by The Wall Street Journal of the agency's database of medical-device adverse events. Several of the reports say the pacemaker went into backup-pacing mode during the update, and in some cases the update wasn't successfully completed. In backup mode, the pacemaker switches to a fixed default rhythm rather than one customized for that patient.

None of the reports cited any serious harm to patients.

Abbott spokeswoman Candace Steele Flippin said the company wasn't aware of any reports of patient harm from the updates. The company designed the update so that pacemakers would temporarily operate in backup- pacing mode, with life-sustaining features remaining available, and revert to pre-update settings once it is complete. She said Abbott is committed to keeping the devices secure, and encourages patients to discuss the risks and benefits with their doctors to decide if the update is appropriate.

Suzanne B. Schwartz, associate director for science and strategic partnerships at the FDA, said in an interview the cybersecurity vulnerabilities in the Abbott devices posed an "unacceptable" risk, and the agency felt strongly that the company make a fix available. She said the FDA isn't in a position to mandate that patients get the updates, but she cautioned against doctors assuming that the risk of hacking is so low that the update isn't worth it.

The Abbott pacemakers in questions are implanted in about 465,000 people in the U.S.

Some doctors and institutions, such as the cardiology department at NewYork-Presbyterian/Weill Cornell Medical Center, aren't recommending the Abbott software update. "It's not really a risk we're willing to take at this point," said Bruce Lerman, chief of cardiology at the hospital. "We don't feel the benefit at this point necessarily outweighs the potential risk of uploading this software."

Cybersecurity researchers have identified weaknesses in other medical devices in recent years, including infusion pumps made by Pfizer Inc.'s Hospira unit and insulin pumps from Johnson & Johnson's Animas unit

There were no known reports of these devices being hacked, according to an arm of the Department of Homeland Security that monitors cyberthreats.

In 2007, doctors disabled the wireless features of then-Vice President Dick Cheney's implanted heart device to guard against an attack by a hacker, according to "Heart," a book Mr. Cheney co-wrote with his doctor.

Doctors are in a tough spot because most have less experience assessing cybersecurity risks than traditional medical risks. "It's really the first time this has come to a head, where there is this need for doctors to start making this decision about whether they should fix cyber-threats in something when it poses a safety risk for patients," said Stephanie Domas, lead medical security engineer with Battelle, a nonprofit research-and-development institute in Columbus, Ohio.

Abbott declined to say how many patients have received the cybersecurity update.

The update, designed to ward off hacking, was for a type of software known as firmware. Abbott acquired the pacemakers with its purchase of St. Jude Medical this year, and they include the brands Anthem and Accent.

The FDA said in August that vulnerabilities in the pacemakers could allow an unauthorized user to modify program commands, which could hurt patients by causing rapid battery depletion or inappropriate pacing.

The Abbott software update takes a few minutes. It involves a doctor or technician placing a tethered wand over the site of the pacemaker.

Abbott said the update can cause malfunctions including loss of programmed device settings or complete loss of function in well below 1% of patients. This could be serious for patients whose underlying heart disorder is severe enough to require frequent assistance from the pacemaker. Abbott said any "pacing dependent" patients getting the update should be in a facility with backup pacing equipment.

Steven L. Zweibel, director of electrophysiology at Hartford Hospital in Hartford, Conn., said his hospital isn't recommending the update, but would consider changing that advice if more evidence emerged that the risk of hacking was greater.

"If there's a patient dependent on the device and it loses functionality because of a firmware update, you now take this patient who was doing just fine, who had a one-in-a-billion chance of having their device hacked, now you've done some harm to them," Dr. Zweibel said.

Some doctors who don't think the software update is necessary say they're avoiding bringing it up with patients. John Mandrola, a cardiac electrophysiologist in Louisville, Ky., said he would discuss the update only if patients ask about it. One patient called recently to do so, and was OK with his recommendation against the update, he said.

John Lando, a retired communications worker in Deer Park, N.Y., has one of the Abbott pacemakers and got the software update.

Mr. Lando said he thinks the risk that his pacemaker would be targeted by a hacker is low. Still, he said, "I'd rather be safe than sorry, and I don't worry about patches and all that, so I said, 'Do it.'" It was over in minutes, and his device didn't malfunction.

Write to Peter Loftus at peter.loftus@wsj.com

(END) Dow Jones Newswires

October 20, 2017 05:44 ET (09:44 GMT)