ICD-Cybersecurity.

Medical device cybersecurity has gained increasing attention in recent years. While many devices have been targeted, security vulnerabilities in cardiac implantable electronic devices (CIEDs) are of particular concern as implantation of these devices is invasive and patients can be reliant upon these devices for life-sustaining therapy. The first major incident with CIEDs that received wide-spread attention occurred in 2016, when Muddy Waters LLC, in conjunction with vulnerability research firm MedSec, issued a report identifying potential cybersecurity concerns in several models of St. Jude Medical's (now Abbott) pacemakers following demonstration of a "crash attack" and a "battery drain attack". Replication of these attacks under experimental conditions failed to produce any clinical harm. The publication of this report prompted Abbott, in conjunction with the United States Food and Drug Administration (FDA), to release a firmware upgrade with enhanced cybersecurity features. As part of this release, Abbott published estimated rates of complications extrapolated from similar circumstances, which included complete loss of device function, loss of programmed device settings, and failure of the update, among others. As there had been no instances of patient harm and a small but non-negligible risk involved in the firmware upgrade, clinicians were asked to utilize a shared decision-making model when deciding whether to pursue the upgrade and to take individual factors such as pacemaker dependence and age of the device into account. Since that time, additional data have been collected on complications rates and patient attitudes toward the upgrade. Saxon et al. analyzed a population of 10,854 patients who were offered the firmware upgrade in the United States. Of those, only 25% elected to proceed once the risks and benefits were explained.