SIOUX CITY | Since word spread that hackers could potentially take control of a brand of pacemakers -- devices implanted to keep the heart beating at a normal rhythm -- Sioux City cardiologists say they've received a number of phone calls from concerned patients.
Roque Arteaga, a cardiologist who practices with Cardiovascular Associates, said the hypothetical risk that pacemakers could fall victim to cyberattacks has been known for years. He described today's pacemakers as small computers with antennas.
He said Dick Cheney's pacemaker's wireless capabilities were turned off when he was vice president to prevent a potential assassination attempt. A hacker would have to be within 20 feet of a pacemaker and bypass encryption codes in order to gain control, according to Arteaga.
"This is the first time the FDA decided to take action," he said. "The risk is there, but it's the risk that exists with most devices that have an antenna and a computer."
After conducting an investigation, the U.S. Food and Drug Administration (FDA) approved an update to enhance the security of the firmware that runs certain Abbott (formerly St. Jude Medical) pacemakers in effort to reduce the risk of patient harm due to potential cyberattacks.
According to the FDA, 465,000 implantable pacemakers are eligible to receive the update, but there have been no known reports of patient harm related to hacking. Arteaga said it's likely that other medical device manufacturers will introduce their own software updates in the future.
The following St. Jude Medical pacemaker and CRT-P devices have been found to have cybersecurity vulnerabilities: Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure. Implantable cardiac defibrillators or cardiac resynchronization ICDs aren't included in the firmware update.
The FDA says Abbott pacemakers manufactured on and after Aug. 28, 2017, will have the update pre-loaded.
"The risk is so low that I wouldn't recommend from a medical perspective to get the software downloaded," Arteaga said. "If it makes the patient more comfortable, the option exists."
Fayaz Hakim, a cardiologist at Mercy Medical Center -- Sioux City, said hackers would have to have extensive knowledge of pacemaker software in order to alter programming.
"He can stop it. He can start it. He can change the heart rate. He can do anything, provided he has the information," he said. "It should be an unusual circumstance that somebody who doesn't know about these things would be able to hack into this system."
Hakim said some firmware updates have already been performed at the Mercy Heart Center. He said Mercy is notifying patients about the cybersecurity issue by letter. Cardiovascular Associates, which provides UnityPoint Health-St. Luke's cardiology services, is doing the same.
"Nobody has to freak out. Their pacemaker is going to function whether they would update it or not," Hakim said. "It's not that they have to do it right now. They can do it when they are due for their scheduled pacemaker check."
The firmware update requires an in-person patient visit with a health care provider. The update process takes about three minutes to complete. During this time, the FDA says the device operates in backup mode, pacing at 67 beats per minute. Once the update is complete, the device will return to its pre-update settings.
According to the FDA, there is a very low risk of an update malfunction, including complete loss of device functionality. In those rare cases, Arteaga said the pacemakers would have to be replaced.
"I don't know if I would want to risk that the device could potentially malfunction and then I have to have a procedure because of a hypothetical, theoretical risk," he said. "For patients that feel too anxious about this and they are threatened, the software is available."