Feature

Cybersecurity concerns prompt discussion on remote monitoring

Vulnerability issues of newer technologies create need for vigilance.

Recent concerns have been raised about cybersecurity issues with implantable cardiac devices with remote monitoring capabilities. Clinicians who treat patients with these devices must be alert for potential vulnerabilities, but should also provide patients with reassurance that the odds of a breach are very low and the benefits of the devices outweigh the risks, according to experts Cardiology Today interviewed.

“Certain determined individuals will always find a way to hack into systems,” Cardiology Today Editorial Board member Jagmeet P. Singh, MD, DPhil, FACC, FHRS, associate chief of the cardiology division at Massachusetts General Hospital Heart Center, Roman W. DeSanctis Endowed Chair in Cardiology and professor of medicine at Harvard Medical School, said in an interview. “However, the benefit of real-time wirelessly transmitted data that allow us to better manage our patients outweighs that risk. A very slight hypothetical risk should not deter us from using technology that has overwhelmingly shown to allow us to better monitor and treat our patients.”

Vulnerability allegations

In August, Muddy Waters Capital LLC announced it would short the stock of St. Jude Medical, then an independent company but now part of Abbott, based on findings from MedSec, a cybersecurity firm, that its implantable cardiac devices with the Merlin@home remote monitoring system were vulnerable to two types of cyber-attacks, one causing “crashing” or excessively rapid pacing and the other draining the battery. Shortly thereafter, St. Jude Medical announced it would sue four entities and three individuals involved in making the allegations, the FDA launched an investigation and the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) commenced an analysis.

In January, the company released a patch to reduce the risk for hacking, the FDA issued a safety communication stating the benefits of the devices outweigh the cybersecurity risks, and the DHS issued two advisories — one for Merlin@home and one for Merlin on Demand — assigning a Common Vulnerability Scoring System base score of 8.9 out of 10 to the vulnerability and concluding that “an attacker with high skill would be able to exploit” it.

The company, the FDA and the DHS all stated that they are not aware of any hacking incidents.

Leslie A. Saxon, MD
Leslie A. Saxon

“One thing that this [FDA] advisory and this process does is provide a mechanism for the same thing that governs manufacturing of hardware, which is ... the ability to continuously make improvements with regulatory oversight,” Leslie A. Saxon, MD, told Cardiology Today. Saxon is professor of medicine and clinical scholar at Keck School of Medicine, University of Southern California (USC); executive director of the USC Center for Body Computing; and chair of St. Jude Medical’s cybersecurity medical advisory board. “How do we understand and categorize risk and make notification standard so that we’re doing this in the safest way possible for patients based on what’s known?”

Jonathan P. Piccini, MD, MHS, FACC, FAHA, FHRS, associate professor of medicine at Duke University Medical Center, said the data the public health advisories were based on were never shared with the public, so agreeing or disagreeing with them is “conjecture.”

Jonathan P. Piccini, MD, MHSc, FACC, FAHA, FHRS
Jonathan P. Piccini

However, he said, “it seems pretty clear the risk is extremely low and, from what I understand, would require the confluence of several extremely unlikely circumstances,” including no one monitoring the device properly and the device not being updated with software patches. “The probability of cybersecurity events is so low that the benefits of the devices far outweigh the rare chance of harm from a cybersecurity risk.”

Hemal M. Nayak, MD, FACC, FHRS, assistant professor of medicine, director of the Cardiac Electrophysiology Fellowship and director of the Lead Management Program at the University of Chicago Medicine, and one of the individuals named in the lawsuit by St. Jude Medical — the company alleges he made false claims about cybersecurity issues with the devices — told Cardiology Today, “while the probability of these vulnerabilities being exploited may be low, the impact of an exploit would be quite high and could potentially undermine the faith that patients have in remote device monitoring and device therapy as a whole.”

Implications for clinicians

Therefore, experts said, clinicians need to closely monitor their patients with affected devices and follow the FDA’s recommendations.

“Patients need to be reminded to check that their Merlin@home remote transmitters are plugged in and connected so that the patch issued by St. Jude Medical can be automatically installed,” Nayak said. “Calling patients at home to confirm this is a good idea. I would also take time and discuss this with patients during their office visit.”

What doctors should not do, Saxon said, is overreact based on media reports, as happened in 2006 when an FDA advisory on pulse generators for implantable cardioverter defibrillators manufactured by Guidant, now part of Boston Scientific, prompted the unnecessary explant of many ICDs.

“What ended up happening with that safety advisory was that more risk was introduced, because physicians and patients interpreted [the problem] as greater risk [than explanting],” she said. “So they changed the devices out, inadvertently introducing more risk [such as] infections and lead problems that were of much higher frequency than [the problem described in] the actual advisory.”

Ultimately, she said, the incident resulted in standardized risk reporting for medical device hardware, which “was helpful because it provided patients and doctors a roadmap,” and “I would like to see it go the same way” for software.

Piccini said clinicians should reassure their patients that remote monitoring is part of the solution to the problem.

“We know that remote monitoring is associated with improved outcomes,” he said. “Frequent routine follow-up allows the patients to have the software on their devices updated as needed. I think it’s a common-sense approach [and is] not any different from what the medical community has been counseled with for [other advisories].”

Ongoing discussion

With the world becoming more electronically connected each day, cybersecurity concerns are here to stay, but the actions taken in response to the concerns with the St. Jude Medical devices could be a template for future response, experts said.

Jagmeet P. Singh, MD, DPhil, FACC, FHRS
Jagmeet P. Singh

“Cybersecurity risks are progressively becoming an issue on all fronts of life,” Singh said. “The report from the FDA ... is reassuring. Nevertheless, I think it is always possible that there could be similar situations in the future across all device vendors.”

Nayak agreed, noting that “this is the first safety communication issued by the FDA involving cybersecurity in cardiac implantable devices and probably not the last. Concerns relating to cybersecurity are only going to increase. I am encouraged that the FDA took action.”

Connected devices will only become more prevalent, as it is “an incredibly important and promising area that is only going to increase in terms of the way people interact with medical care,” Saxon said.

Therefore, she said, “This is going to be an ongoing discussion ... including a patient voice ... about how the potential benefits are enormous but we have to accept some risk, like we do every day when we get in a car or make a phone call. ... We have to constantly understand what the risks are on an ongoing basis, report them and make sure the information gets to everybody.” – by Erik Swain

Disclosure: Nayak reports holding an immaterial amount of equity in MedSec and that MedSec and Muddy Waters Financial are paying his legal fees for the lawsuit filed by St. Jude Medical. Piccini reports receiving research grants from Boston Scientific and St. Jude Medical and consulting for Medtronic. Saxon reports serving on an advisory board for St. Jude Medical. Singh reports consulting for Biotronik, Boston Scientific, Impulse Dynamics, Medtronic, Respicardia and St. Jude Medical.

Recent concerns have been raised about cybersecurity issues with implantable cardiac devices with remote monitoring capabilities. Clinicians who treat patients with these devices must be alert for potential vulnerabilities, but should also provide patients with reassurance that the odds of a breach are very low and the benefits of the devices outweigh the risks, according to experts Cardiology Today interviewed.

“Certain determined individuals will always find a way to hack into systems,” Cardiology Today Editorial Board member Jagmeet P. Singh, MD, DPhil, FACC, FHRS, associate chief of the cardiology division at Massachusetts General Hospital Heart Center, Roman W. DeSanctis Endowed Chair in Cardiology and professor of medicine at Harvard Medical School, said in an interview. “However, the benefit of real-time wirelessly transmitted data that allow us to better manage our patients outweighs that risk. A very slight hypothetical risk should not deter us from using technology that has overwhelmingly shown to allow us to better monitor and treat our patients.”

Vulnerability allegations

In August, Muddy Waters Capital LLC announced it would short the stock of St. Jude Medical, then an independent company but now part of Abbott, based on findings from MedSec, a cybersecurity firm, that its implantable cardiac devices with the Merlin@home remote monitoring system were vulnerable to two types of cyber-attacks, one causing “crashing” or excessively rapid pacing and the other draining the battery. Shortly thereafter, St. Jude Medical announced it would sue four entities and three individuals involved in making the allegations, the FDA launched an investigation and the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) commenced an analysis.

In January, the company released a patch to reduce the risk for hacking, the FDA issued a safety communication stating the benefits of the devices outweigh the cybersecurity risks, and the DHS issued two advisories — one for Merlin@home and one for Merlin on Demand — assigning a Common Vulnerability Scoring System base score of 8.9 out of 10 to the vulnerability and concluding that “an attacker with high skill would be able to exploit” it.

The company, the FDA and the DHS all stated that they are not aware of any hacking incidents.

Leslie A. Saxon, MD
Leslie A. Saxon

“One thing that this [FDA] advisory and this process does is provide a mechanism for the same thing that governs manufacturing of hardware, which is ... the ability to continuously make improvements with regulatory oversight,” Leslie A. Saxon, MD, told Cardiology Today. Saxon is professor of medicine and clinical scholar at Keck School of Medicine, University of Southern California (USC); executive director of the USC Center for Body Computing; and chair of St. Jude Medical’s cybersecurity medical advisory board. “How do we understand and categorize risk and make notification standard so that we’re doing this in the safest way possible for patients based on what’s known?”

Jonathan P. Piccini, MD, MHS, FACC, FAHA, FHRS, associate professor of medicine at Duke University Medical Center, said the data the public health advisories were based on were never shared with the public, so agreeing or disagreeing with them is “conjecture.”

Jonathan P. Piccini, MD, MHSc, FACC, FAHA, FHRS
Jonathan P. Piccini

However, he said, “it seems pretty clear the risk is extremely low and, from what I understand, would require the confluence of several extremely unlikely circumstances,” including no one monitoring the device properly and the device not being updated with software patches. “The probability of cybersecurity events is so low that the benefits of the devices far outweigh the rare chance of harm from a cybersecurity risk.”

Hemal M. Nayak, MD, FACC, FHRS, assistant professor of medicine, director of the Cardiac Electrophysiology Fellowship and director of the Lead Management Program at the University of Chicago Medicine, and one of the individuals named in the lawsuit by St. Jude Medical — the company alleges he made false claims about cybersecurity issues with the devices — told Cardiology Today, “while the probability of these vulnerabilities being exploited may be low, the impact of an exploit would be quite high and could potentially undermine the faith that patients have in remote device monitoring and device therapy as a whole.”

PAGE BREAK

Implications for clinicians

Therefore, experts said, clinicians need to closely monitor their patients with affected devices and follow the FDA’s recommendations.

“Patients need to be reminded to check that their Merlin@home remote transmitters are plugged in and connected so that the patch issued by St. Jude Medical can be automatically installed,” Nayak said. “Calling patients at home to confirm this is a good idea. I would also take time and discuss this with patients during their office visit.”

What doctors should not do, Saxon said, is overreact based on media reports, as happened in 2006 when an FDA advisory on pulse generators for implantable cardioverter defibrillators manufactured by Guidant, now part of Boston Scientific, prompted the unnecessary explant of many ICDs.

“What ended up happening with that safety advisory was that more risk was introduced, because physicians and patients interpreted [the problem] as greater risk [than explanting],” she said. “So they changed the devices out, inadvertently introducing more risk [such as] infections and lead problems that were of much higher frequency than [the problem described in] the actual advisory.”

Ultimately, she said, the incident resulted in standardized risk reporting for medical device hardware, which “was helpful because it provided patients and doctors a roadmap,” and “I would like to see it go the same way” for software.

Piccini said clinicians should reassure their patients that remote monitoring is part of the solution to the problem.

“We know that remote monitoring is associated with improved outcomes,” he said. “Frequent routine follow-up allows the patients to have the software on their devices updated as needed. I think it’s a common-sense approach [and is] not any different from what the medical community has been counseled with for [other advisories].”

Ongoing discussion

With the world becoming more electronically connected each day, cybersecurity concerns are here to stay, but the actions taken in response to the concerns with the St. Jude Medical devices could be a template for future response, experts said.

Jagmeet P. Singh, MD, DPhil, FACC, FHRS
Jagmeet P. Singh

“Cybersecurity risks are progressively becoming an issue on all fronts of life,” Singh said. “The report from the FDA ... is reassuring. Nevertheless, I think it is always possible that there could be similar situations in the future across all device vendors.”

Nayak agreed, noting that “this is the first safety communication issued by the FDA involving cybersecurity in cardiac implantable devices and probably not the last. Concerns relating to cybersecurity are only going to increase. I am encouraged that the FDA took action.”

Connected devices will only become more prevalent, as it is “an incredibly important and promising area that is only going to increase in terms of the way people interact with medical care,” Saxon said.

Therefore, she said, “This is going to be an ongoing discussion ... including a patient voice ... about how the potential benefits are enormous but we have to accept some risk, like we do every day when we get in a car or make a phone call. ... We have to constantly understand what the risks are on an ongoing basis, report them and make sure the information gets to everybody.” – by Erik Swain

Disclosure: Nayak reports holding an immaterial amount of equity in MedSec and that MedSec and Muddy Waters Financial are paying his legal fees for the lawsuit filed by St. Jude Medical. Piccini reports receiving research grants from Boston Scientific and St. Jude Medical and consulting for Medtronic. Saxon reports serving on an advisory board for St. Jude Medical. Singh reports consulting for Biotronik, Boston Scientific, Impulse Dynamics, Medtronic, Respicardia and St. Jude Medical.