[Skip to Navigation]
Sign In
December 5, 2017

Cybersecurity Concerns and Medical Devices: Lessons From a Pacemaker Advisory

Author Affiliations
  • 1Harvard Medical School, Richard A. and Susan F. Smith Center for Outcomes Research in Cardiology, Beth Israel Deaconess Medical Center, Boston, Massachusetts
  • 2College of Engineering, University of Michigan, Ann Arbor
JAMA. 2017;318(21):2077-2078. doi:10.1001/jama.2017.15692

Medical devices increasingly include capabilities for wireless communication and remote monitoring systems that relay clinical information from patients to clinicians. For example, many cardiac implantable electrical devices can transmit data regarding arrhythmia burden and heart failure metrics with minimal patient effort. This technology can improve patient care, but also introduces possible risks to data security and patient safety.

In August 2017, the US Food and Drug Administration (FDA) issued a safety communication regarding potential cybersecurity concerns involving malicious interference with battery life or essential programming functions in several pacemaker models made by St Jude Medical (which was acquired by Abbott in January 2017).1 (Cybersecurity refers to the prevention of unauthorized access, modification, or use of information stored or transmitted by medical devices or networks.) An estimated 450 000 or more patients with these permanently implanted, life-sustaining devices may be affected. As software and remote monitoring become embedded in more medical devices, such as diabetes management systems and sleep apnea devices, cybersecurity concerns will inevitably increase the risk of advisories affecting a wider scope of patients. Therefore, it is important to consider the ways in which patients and clinicians might prepare for such events, and the optimal ways for manufacturers and the FDA to engage the public around this emerging area of postmarketing surveillance.

Add or change institution