Author + information
- Adrian Baranchuk, MD,
- Marwan M. Refaat, MD,
- Mina K. Chung, MD,
- John D. Fisher, MD and
- Dhanunjaya Lakkireddy, MD∗ ()
- ↵∗The Kansas City Heart Rhythm Institute @ HCA MidWest, Overland Park Regional Medical Center, 12200 West 106th Street, Overland Park, Kansas 66215
We thank Dr. Tully and colleagues for their insightful comments on our paper and their perspective on cybersecurity issues of connected devices (1). They felt that firmware patches to all these “unprotected” devices is a lesser risk than inaction. While we appreciate the breadth of the problem that cyberattacks can cause on connected devices, there are several unknowns that simply are not trivial and cannot be ignored. Our recommendations at a societal level obviously were based on consideration of all these possibilities. We would like to highlight the following:
1. Up to May 2018, there have been no real cases of hacking of cardiac devices. The only attempt to scientifically reproduce the Muddy Waters case (2) failed to produce any serious harm (3) despite an obvious financial agenda.
2. The quotes for “device malfunction” risks at the time of firmware upgrade in the Abbott report are mere conservative estimations. No “real-world” experience of this exercise is available yet to understand its true impact on device function. Before starting the firmware upgrades, many centers around the world, including ours, have quoted the company-provided estimations (4). We encourage well-informed shared decision making. This includes explaining to patients that, unlike hospital networks, individual cardiac devices have limits on how much of their functionality can truly be affected by a malicious attack.
One of the principles in medicine is primum non nocere. We would rephrase the authors’ perspective and summarize as “we do not know at present whether the problem is worse than the solution.” For now, we must rely on the possibilities of technology and the estimates made by the manufacturers.
We are not sure that the analogy of cardiac device cybersecurity to infectious diseases and vaccinations is accurate, although it is dramatic. It takes decades after a disease strikes in a community until epidemiological and physiopathological mechanisms are properly understood. From that point to vaccination release takes several years or decades; however, we are not aware of any group in the world working on a vaccine for a disease that did not strike yet.
In addition, to continue the analogy, the “vaccine” (in this case, the “patch”) was released without a proper analysis of its adverse effects (in this case “the real impact of firmware upgrades”). The American College of Cardiology’s Electrophysiology Section agrees with other medical and cybersecurity experts about the need to pursue a comprehensive proactive and robust protection for cardiac devices. In the meantime, we shall continue to educate our patients about the differences between “possible” and “probable” but continue to work with manufacturers to improve security of these devices.
Please note: The authors have reported that they have no relationships relevant to the contents of this paper to disclose.
- Baranchuk A.,
- Refaat M.,
- Patton K.K.,
- et al.,
- American College of Cardiology’s Electrophysiology Section Leadership
- ↵Muddy Waters LLC. MW is Short St. Jude Medical (ST: US), August 25, 2016. Available at: http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/. Accessed June 1, 2017.
- Ransford B.,
- Kramer D.B.,
- Foo Kune D.,
- et al.
- ↵Abbott. Cybersecurity update. Available at: https://www.sjm.com/en/patients/arrhythmias/resources-support/cyber-update?clset=af584191-45c9-4201-8740-5409f4cf8bdd%3ab20716c1-c2a6-4e4c-844b-d0dd6899eb3a. Accessed September 1, 2017.