Cybersecurity Concerns and Medical Devices: Lessons From a Pacemaker Advisory

Medical devices increasingly include capabilities for wireless communication and remote monitoring systems that relay clinical information from patients to clinicians. For example, many cardiac implantable electrical devices can transmit data regarding arrhythmia burden and heart failure metrics with minimal patient effort. This technology can improve patient care, but also introduces possible risks to data security and patient safety. In August 2017, the US Food and Drug Administration (FDA) issued a safety communication regarding potential cybersecurity concerns involving malicious interference with battery life or essential programming functions in several pacemaker models made by St Jude Medical which was acquired by Abbott in January 2017). In general, the FDA issues safety alerts to inform the public of a risk of substantial harm from a medical device in commercial use. By contrast, recalls are issued when the corrective action taken by the manufacturer targets a problem with a reasonable likelihood of causing harm.