Myth or Fact? Your Device Security Questions Answered
While in office as US Vice-President, Dick Cheney had the remote monitoring function of his pacemaker turned off over concerns a malicious hacker could access his device. In 2012, an episode of the TV drama Homeland depicts a faraway terrorist hacking into the fictional US Vice-President’s pacemaker and assassinating him.
It may have made for thrilling TV, but is successful malicious hacking of a cardiac device possible in real life?
Soon after BIOTRONIK first brought Home Monitoring to market in 2000, many patients with a heart implant took advantage of the opportunity for continuous monitoring by their physician to log arrhythmias and get early detection of potential adverse events. The potential benefits are huge, with BIOTRONIK Home Monitoring specifically being linked to a 60 percent reduction in all-cause mortality in heart failure patients. Yet with the new benefits of connected cardiac care came questions about cybersecurity—did those benefits also come with risks?
For BIOTRONIK devices, the short answer is that connected devices have been designed specifically to prevent such attacks. Yet, more than 20 years after BIOTRONIK Home Monitoring’s debut and 10 years after Homeland’s “pacemaker episode” aired, it remains an important question of device patients and a general topic in media reports about remote monitoring-enabled devices.
Can my BIOTRONIK device be hacked to harm me?
All BIOTRONIK implants currently on the market are specifically designed to prevent remote changes in therapy or diagnostics. Not even the patient’s cardiologist could make these changes remotely.
To understand how this design works, it helps to imagine the implant like a house. In real life this house would be rather foreboding, because it only has two tiny windows—and no doors. One of these windows is used exclusively for Home Monitoring, for example by sending out the patient’s health data to the Home Monitoring Service Center, where their cardiologist can review it. The other window is used exclusively for reconfiguring the implant with a specific programming device, which the physician uses only during in-person appointments with the patient.
The window for Home Monitoring leads to a room that has no doors to any other part of the house. It’s also locked almost all the time. The window can only be opened from the inside— by the implant itself. This only happens when the implant needs to send health data, such as when an event has happened or when the implant has gathered its daily statistics to send. The window is so small that nobody can enter the house—even when it’s open. Somebody looking through the window from the outside would only see an empty room and none of the valuables stored in other rooms. Its function thus has no connection to the part of the implant that can reprogram therapy. Doing that can only be done through close contact with the patient.
Some implants are also capable of hearing CardioMessengers knocking at the window. A CardioMessenger is a device often found at the patient’s bedside. It relays the implant’s data to the Home Monitoring Service Center. If an implant has the time to spare when it hears a knock, it will have a look through the closed window. If it can confirm that it is a CardioMessenger that has knocked, it will open the window and send the requested health data. Otherwise, the window stays shut. When the implant has no time to spare, it just ignores the knock, making sure that nothing interrupts its important work.
Like all medical devices, BIOTRONIK implants need to be programmed to optimize patient care, for example, when a patient’s condition changes. A cardiologist may adjust pacing thresholds, turn on the device’s MRI AutoDetect if the patient has an upcoming scan, or use other features. That is what the other window of the house is for. This window only opens if the cardiologist holds a specific BIOTRONIK programming device to the patient’s chest so that it is directly over the implant at close range. Once the window is open, the programming device can read data from the implant and change the implant’s settings through that window. Once the cardiologist is done with the reconfiguration, the window is closed again. The window for reconfiguration cannot be opened by CardioMessengers or any other device other than the specific BIOTRONIK programming device.
“Needing to be in this kind of close contact effectively means the patient can make sure they’re in the presence of someone they trust to program their device—typically their physician,” says Alan Fryer, Director of Global Product Cybersecurity at BIOTRONIK.
This design means that the patient’s cardiologist can keep track of how the patient is doing by remotely checking into the data each individual implant sends to the Home Monitoring Service Center. The data can provide actionable early warning if a potential issue comes up. If that happens though, the patient needs to visit the physician in person to have their implant reconfigured as BIOTRONIK implants are, as explained above, specifically designed not to be reconfigurable from far away.
So by design, BIOTRONIK devices are effectively guarded against malicious remote hacking attempts.
Can hackers get at my data?
BIOTRONIK strongly values patient privacy and has designed its products, processes, and organization to keep the patient’s data safe. This starts with only collecting data required to provide valuable patient care. Home Monitoring is thus designed so the data it sends doesn’t contain identifying information such as a patient’s name or birth date. It instead uses device identifiers that the patient’s physician can use to match the data to the patient in question.
Once it leaves the implant, Home Monitoring data travels through the Cardio Messenger to the Home Monitoring Service Center. This data in transit is encrypted with individual keys by state-of-the-art cryptography techniques. It’s also sent via a mobile network that is not connected to or accessible through the Internet. When the data reaches BIOTRONIK, it’s stored securely in a modern data center which the patient’s cardiologist can access only through a secure login.
BIOTRONIK uses an information security management system for operation, support, and administration of the Home Monitoring Service Center. This information security management system is certified according to the international standard ISO/IEC 27001:2017. This certification is independently awarded. Earning it requires that all staff working with patient data be appropriately trained, and that administrative, physical, and technical safeguards are in place—right down to installing specific locks on doors to the facilities. BIOTRONIK is audited several times a year to maintain this certificate. In addition to that, BIOTRONIK regularly hires external cybersecurity experts to perform so called “penetration tests,” making sure safeguards are up to date and are continually maintained to be effective. This ensures that security measures are constantly improved and adapted to the changing cybersecurity landscape.
Is there anything I should know about securing my CardioMessenger?
Home Monitoring enabled implants send their data to the Home Monitoring Service Center using a CardioMessenger, which resembles a smartphone. It’s typically stored in the patient’s home by their bedside, enabling nightly transmissions. As explained above, the Cardio Messenger, by design, cannot influence the implant’s clinical function. So even if the CardioMessenger is damaged or gets lost, it has no impact on the patient’s well-being.
Patients do need to ensure their CardioMessenger is powered and positioned appropriately for good communication with their implants, as explained in the user manual. If the CardioMessenger is lost, stolen, or damaged, patients should report it, so that the device can be replaced and remote monitoring restored.
Patient safety and privacy is BIOTRONIK’s number one priority—a commitment that also extends to cybersecurity. With devices that are designed with cybersecurity in mind from the get-go, BIOTRONIK works to ensure both a patient’s physical safety—as well as that of patient data.