The first widespread cybersecurity advisory involving a permanent medical device implant provides lessons learned, discussed in a December 5, 2017, viewpoint in JAMA. FDA first alerted the public that St. Jude Medical's (now Abbott) pacemakers were susceptible to hacking in January 2017 (see HRC Alerts, January 18, 2017: FDA: Implantable Cardiac Devices Are Vulnerable to Cybersecurity Threats). In August 2017, FDA issued a notice indicating that corrective action was needed to install a firmware patch on more than 450,000 of the devices. The JAMA article discusses ways FDA and industry could have improved the response to this issue or might respond better to similar device-related issues in the future. When news of the device's safety issues was reported, the article said, many patients with unaffected pacemakers, made by other companies, understandably wondered whether their own devices were also vulnerable. Research suggests that these fears may have been well founded unless the devices had preimplanted cybersecurity defenses, the article said. Perhaps, the authors suggest, FDA should have communicated whether an industry-wide concern existed, thus reassuring patients who were using different, unaffected pacemakers. FDA and industry could also have undertaken a joint pilot initiative, taking corrective action regarding the vulnerabilities. The true rate of malfunction may not be known until tens of thousands of devices have been upgraded, the article said; a joint project acquiring feedback in real time could have helped determine the best way to implement future software updates. The authors credit FDA for collaborating with cybersecurity experts over the past several years. "However," the authors said, "the experience with this pacemaker advisory should serve as a reminder to the broader clinical community that an entirely new class of potential medical device malfunction is likely to become increasingly common. Patients and clinicians need to appreciate these risks alongside the convenience and diagnostic and therapeutic potential of remotely connected devices."

HRC Recommends: FDA has called medical device cybersecurity "a shared responsibility among stakeholders including health care facilities, patients, providers, and manufacturers." FDA issued guidance focusing on manufacturers' responsibilities, emphasizing the need to monitor for vulnerabilities and make "timely" updates to correct them. In addition, FDA calls for manufacturers to establish a "robust" software life cycle that includes monitoring for the effect of third-party software vulnerabilities. In evaluating potential cybersecurity threats, FDA recommends a risk management model that includes assessing how easily the vulnerability could be exploited, how easily an attack could be detected, and the effect an attack would have on patient health and outcomes. FDA set out recommendations for the timeliness of response based on the degree of patient harm that is anticipated, from negligible to severe. Although FDA's guidance is mostly directed towards manufacturers and their responsibilities, risk managers and others responsible for cybersecurity at the healthcare system should review the document and be familiar with its concepts. If an organization identifies cybersecurity vulnerabilities, the problems should be promptly reported to the manufacturer and outside entities such as a patient safety organization or to ECRI Institute's Problem Reporting Network.​