The Heart Rhythm Society Releases Communication Strategies for Cybersecurity Threats to Cardiovascular Implantable Electronic Devices

Proceedings statement presented at Heart Rhythm 2018 and published in HeartRhythm

May 08, 2018

Media Contact

Catherine Llamido
(301) 538-3836
Megan Fricke
(404) 895-5024

Today, the Heart Rhythm Society (HRS) released communication recommendations to assist health care professionals to understand and prepare for potential cybersecurity vulnerabilities of cardiovascular implantable electronic devices (CIEDs). The proceedings statement outlines four key communication themes: when to notify patients, whom to notify, how to communicate with patients, and what elements to discuss with patients. The statement will be presented on Thursday, May 10, at Heart Rhythm 2018, the Heart Rhythm Society's 39th Annual Scientific Sessions.  

The relative novelty of cybersecurity threats in CIEDs is raising questions among patients and the heart rhythm care community. The rapidly changing health care environment and increasing global interconnectivity expose information technology to vulnerabilities. Hackers can potentially use these vulnerabilities to gain unauthorized access to medical equipment. 

The proceedings statement includes detailed guidance on patient-centered communication strategies when a specific threat is identified. The authors first call for an assessment of the threat by experts from manufacturers and U.S. federal agencies. If a vulnerability is validated, the discussion between the health care professional and patient should include five topics: 

  • Potential consequences if the vulnerability is exploited
  • Strategies to mitigate the risks
  • Technical challenges to exploit the vulnerability
  • Long-term solutions to eliminate the threat
  • Benefits provided by the CIED compared with the risk if the vulnerability is exploited 

The authors note that if the claim of a new vulnerability is released directly to the public, instead of directly to the manufacturer or the U.S. Food and Drug Administration (FDA), there is the potential for a period of uncertainty and anxiety during the evaluation of the claim. U.S. federal agencies and manufacturers must rapidly assess both the validity of the claim and the potential risks to patients to prevent improper action or exploitation of the situation.  

"As we look ahead and plan for ways to deal with potential risks to CIEDs, preparedness is the best approach," said lead author David Slotwiner, MD, FHRS, New York-Presbyterian Queens.

"Like other technology such as smartphones or computers, device software needs to be regularly updated. As health care professionals, we are inclined to first address hardware issues with the battery or leads, but the software is equally important. The health care community must reach a point where routine software updates are considered the standard of care to minimize the threat and ultimately eliminate risks." 

The authors also state the importance of managing patient expectations at the time of implant.  Patients should know that CIEDs will require software updates until the battery is depleted. By educating patients prior to CIED implant and in advance of a threat announcement, patients will have a better understanding of the systems and be more prepared to respond to a potential vulnerability. HRS will work with its partners to help educate health care professionals on best practices for patient-centered conversations and mechanisms to minimize cybersecurity risks.

The statement captures the proceedings of the 2017 Leadership Summit on Cybersecurity Vulnerabilities: Communications Strategies for Clinicians and Patients that was attended by patient representatives, subject matter experts, HRS and American College of Cardiology (ACC) leadership, FDA and Federal Bureau of Investigation (FBI) officials, and leadership from CIED manufacturers. 

The full document was published today with an accompanying editorial commentary in the online edition of HeartRhythm, the official journal of HRS. To review the full document and editorial commentary by FDA, please click here.

Sessions details:
"Special Session. B-SP09 – Cybersecurity and Implantable Medical Devices: Cybersecurity Vulnerabilities of Cardiovascular Implantable Electronic Devices" [May 10, 2018, 10:30 a.m. – noon EDT, Room 206] 

Heart Rhythm 2018 is the most comprehensive educational program for heart rhythm professionals, featuring more than 200 educational sessions and more than 140 exhibitors showcasing innovative products and services. The Heart Rhythm Society's Annual Scientific Sessions have become the must-attend event of the year, allowing the exchange of new vital ideas and information among colleagues from every corner of the globe. For more information, visit www.HRSsessions.org.  

# # # 

About the Heart Rhythm Society

The Heart Rhythm Society is the international leader in science, education, and advocacy for cardiac arrhythmia professionals and patients, and the primary information resource on heart rhythm disorders. Its mission is to improve the care of patients by promoting research, education, and optimal health care policies and standards. Incorporated in 1979 and based in Washington, DC, it has a membership of more than 6,000 heart rhythm professionals in more than 72 countries around the world. For more information, visit www.HRSonline.org.