Cyberattacks on pacemakers: smart heart devices and their risks

Modern pacemakers and other implantable cardiac devices (CIEDs) offer patients many advantages. They improve quality of life, increase autonomy and can even increase life expectancy. But smart devices also come with risks: hacker attacks on pacemakers. What sounds like the plot of a sci-fi novel is already a potential reality. A recent study by the University of Trier, published in PLOS Digital Health, has now shed light on the danger of cyberattacks on heart implants - and calls for more information for patients.

Are hacker attacks on pacemakers possible?

The short answer is yes. According to the study, CIEDs have known cyber vulnerabilities that have been documented for over a decade. The devices transmit information wirelessly and are connected to the internet via interfaces. This connectivity creates potential points of attack for hackers.
Leanne Torgersen, lead author of the study, explains: "Modern heart implants that transmit wireless information improve the quality of life and autonomy of patients, but can also bring new dangers from cyber attacks."
To date, no case of a successful attack on a patient has been made public. However, according to the researchers, the likelihood of such attacks is increasing.

What can happen in the event of a cyberattack

The consequences of a hacker attack on a heart implant could be serious. The study identifies two main risks: Firstly, sensitive patient data could be lost as a result, and secondly, it could allow strangers to gain control of the implant. In the worst-case scenario, an attacker could manipulate the functionality of the device - with potentially life-threatening consequences. The US Food and Drug Administration (FDA) warned manufacturers back in 2016 about possible crash attacks or battery discharge attacks on certain heart implants.

How can those affected protect themselves?

Unfortunately, the study does not provide any specific recommendations for patients. However, it emphasises the importance of informing patients about possible risks. Heart patients should be aware that their devices may have potential vulnerabilities. Regular software updates and following the manufacturer's safety instructions are therefore advisable.

Are people with pacemakers informed about these dangers?

The researchers see a key problem here: to date, there are no standardised guidelines for informing people at risk about the risks. It is up to the treating doctors to decide whether and in how much detail these topics are discussed when consenting to treatment. Professor Stefan M. Schulz from the University of Trier emphasises: "It is crucial that patients are informed about all possible risks." This not only promotes patient autonomy, but also a therapeutic relationship based on partnership.

What do the authors of the study recommend?

The researchers primarily call for more transparency and standardised information about cyber risks. Specifically, they recommend:

• Cybersecurity risks should become part of patient information and consent to treatment
• Information should be provided on an ongoing basis as new risk information becomes available.
• Healthcare systems need to better prepare for potential security breaches.

They also emphasise that those affected have a right to be informed about possible risks in advance and not after the fact. This is the only way they can make a truly informed decision in favour of or against a heart implant.

In a follow-up study, the team led by Stefan M. Schulz is now investigating what the usual practice is in different countries when it comes to providing information about cyber risks associated with heart implants and how this is experienced by the patients concerned.