People with pacemakers are vulnerable to hackers, a major review has found.
Every year, about 35,000 UK patients are fitted with the lifesaving devices to fix abnormal heart rhythms. A further 13,000 have implantable cardioverter defibrillators (ICDs) capable of delivering a life-saving shock.
But a report examining the risk of cyber attacks on medical equipment says advances in technology have left the patients vulnerable.
Experts from the American College of Cardiology said the devices could be hacked for motives including political or financial gain.
Implanted under the skin close to the collarbone, the modern pacemaker is a miniature computer with its own software. In addition to keeping the heart pumping efficiently, it can also transmit information about a patient’s condition to their doctor, flagging up when something is wrong.
Hackers could theoretically tap into the software to drain a pacemaker’s battery, turn the device off or, in the case of an ICD, cause it to deliver a heart-stopping shock.
According to the study, medical devices have been the targets of hacking for more than a decade and the increasing use of software has created the need to protect devices from ‘intentional harmful interference’. They found that while there have been no reports of malicious or inadvertent hacking or malware attacks affecting the cardiac devices, it was a credible threat.
Manufacturers of the devices and doctors and patients using them must remain vigilant to prevent attacks, the authors warned.
Study author Professor Dhanunjaya Lakkireddy, of the University of Kansas Hospital, said: ‘True cyber-security begins at the point of designing protected software from the outset, and requires the integration of multiple stakeholders, including software experts, security experts and medical advisers.
‘The likelihood of an individual hacker successfully affecting a cardiovascular implantable electronic device or being able to target a specific patient is very low.
‘A more likely scenario is that of a malware or ransomware attack affecting a hospital network and inhibiting communication.’
Last year, the US Food and Drugs Administration ordered the recall of six types of cardiac pacemaker implanted in 465,000 people because they had no protection against hackers. In 2013, former US vice president Dick Cheney said his doctor had disabled the wi-fi function on his cardiac pacemaker because of fears it might be hacked in an assassination attempt.
The American College of Cardiology’s electrophysiology council said cyber-security needs should also be addressed during product testing.
The body that regulates British medical devices, the Medicines and Healthcare Products Regulatory Agency, said that while it was ‘aware of the potential for cybersecurity attacks’, there had been ‘no UK reports of any incidents involving medical devices’.
The agency said there was a ‘theoretical risk’, but it ‘appears to be infinitesimally small’.