Communication Strategies For Addressing Cybersecurity Vulnerabilities of CIEDs
Communication recommendations to assist health care professionals in understanding and preparing for potential cybersecurity vulnerabilities of cardiovascular implantable electronic devices (CIEDs) are outlined in a statement released May 8 in HeartRhythm and presented during the Heart Rhythm Society's 39th Annual Scientific Sessions.
The statement is the result of a 2017 Heart Rhythm Society Leadership Summit on Cybersecurity Vulnerabilities: Communications Strategies for Clinicians and Patients. It highlights several factors, including the "interconnectedness of the health care environment" and the "common persistence of outdated and unsupported software" that make CIEDs particularly vulnerable to exploitation. Given these factors, patients with CIEDs can feel particularly vulnerable and are turning to their health care professionals for guidance.
The authors highlight the importance of educating patients prior to CIED implant, and in advance of an announcement of a specific vulnerability or threat, so that they understand the systems in place to quickly assess and respond to potential vulnerabilities and are less likely to fall prey to those seeking to exploit patient fears.
"As we look ahead and plan for ways to deal with potential risks to CIEDs, preparedness is the best approach," said lead author David Slotwiner, MD, FACC. "The health care community must reach a point where routine software updates are considered the standard of care to minimize the threat and ultimately eliminate risks."
The statement recommends that experts from manufacturers and federal agencies, such as the U.S. Food and Drug Administration (FDA), be the first line of defense in assessing a threat. From there, if vulnerability is validated, they suggest that health care professionals can then serve a critical role in assisting patients to interpret the significance of a cybersecurity vulnerability, the relative risks and benefits of continuing to receive therapy from the potentially affected device and deciding if they will pursue a mitigation strategy.
Five topics of discussion between the health care professional and patient should include:
- Potential consequences if the vulnerability is exploited
- Strategies to mitigate the risks
- Technical challenges to exploit the vulnerability
- Long-term solutions to eliminate the threat
- Benefits provided by the CIED compared with the risk if the vulnerability is exploited
"Medical societies and health care professionals are important resources not only to our patients, but to manufacturers and the FDA," said Mary Norine Walsh, MD, MACC, immediate past ACC president and an author on the statement. "We are on the front lines of care and can help to ensure communications are consistent, accurate and effective."
"As a community, we need to continue to promote education, awareness and engagement to address the challenges with strengthening medical device cybersecurity," write William H. Maisel, MD, MPH, et al., in a corresponding editorial from the FDA. "The FDA encourages continued collaboration among the manufacturers, government agencies, researchers, professional societies, health care providers and patients to employ a risk-based approach to assessing vulnerabilities and implementing routine software updates that promote good cybersecurity hygiene to protect patients."
Keywords: ACC Advocacy, Standard of Care, United States Food and Drug Administration, Societies, Medical, Computer Security, Health Personnel, Software, Risk Assessment, Arrhythmias, Cardiac
< Back to Listings