Recall Highlights Medical Device Cybersecurity Issues
On August 29, the FDA announced a recall of 465,000 implantable pacemakers, citing concerns that hackers may be able to take control of the pacemakers’ settings. This would open patients up to danger from improper pacing or rapid depletion of the devices’ batteries, according to the FDA’s statement. Instead of removing and replacing the pacemakers, the recall is designed so that doctors will install a firmware upgrade that removes the vulnerability.
Newsfactor reports that there have been no reported exploits of the vulnerability and no devices have yet been compromised.
The recall highlights that medical device manufacturers are beginning to take a more focused approach to cybersecurity. Mac McMillan, CEO of privacy and cybersecurity firm Cynergistek, told Modern Healthcare that “If devicemakers didn’t already have developers sitting around looking at cybersecurity, they now have to incur the costs of making sure their devices stay current. In the past, they’ve developed devices and put them on the market and moved onto the next device. This is a new thing for them.”
Mike Kijewski, CEO of medical device security company Medcrypt, also suggested that the FDA should update its regulations to help medical device companies stay on top of cybersecurity threats. “If the FDA can say you’re just doing the update for cybersecurity and the changes are minimal and the functionality of the device isn’t changing, they can make the update happen faster,” Kijewski suggested.
Canada’s equivalent of the FDA, Health Canada, is still looking into the vulnerability and its proposed solution, and has set a target of 75 days to resolve the situation.
Researchers Announced A New Implantable Energy Storage System Powered By The Patient’s Body
UCLA announced that scientists from UCLA and University of Connecticut designed a new form of energy storage for powering implantable medical devices that do not require a battery. According to the announcement, this design makes it possible for implantable medical devices to be powered by a patient’s own body.
The announcement notes that many powered implantable medical devices, such as pacemakers, contain traditional batteries, which limit the lifespan of a device to the lifespan of the battery. According to the Mayo Clinic, the battery of a pacemaker typically lasts five to 15 years, and needs to be replaced by surgery when it runs out. According an editorial in the BMJ (formerly the British Medical Journal), “[o]ver half of all patients with pacemakers require a replacement procedure because the batteries have reached their expected life. Some 11-16% need multiple replacements.” Moreover, the article notes that batteries make the implantable device bulky and contain toxic chemicals, which can be harmful to the patient if they leak.
According to UCLA, the new energy storage system is called a biological supercapacitator, which operates on electrolytes in the patient’s body, for example, in blood and urine, and eliminates the need for a traditional battery in an implantable medical device. The researchers state that the biological supercapacitator can be combined with “an energy harvester” to also convert heat and motion of the patient into electricity to be captured by the supercapacitator.
Although the announcement states that supercapacitators are currently not widely used in implantable device technology, Maher El-Kady, a UCLA postdoctoral researcher and a co-author of the study, commented:
In order to be effective, battery-free pacemakers must have supercapacitors that can capture, store and transport energy, and commercial supercapacitors are too slow to make it work. Our research focused on custom-designing our supercapacitor to capture energy effectively, and finding a way to make it compatible with the human body.
More details of the research team’s design can be found in a paper recently published in Advanced Energy Material.
“World’s Smallest Pacemaker” Experiences Sizeable Success
Medtronic recently announced continued success with what it describes as “the world’s smallest pacemaker.” The Micra® Transcatheter Pacing System (TPS) is less than one-tenth of the size of traditional pacemakers (examples of each type of pacemaker, both produced by Medtronic, are shown to the left). Medtronic states that the device provides select patients suffering from bradycardia with a minimally invasive treatment approach.
The Micra TPS, which is comparable in size to a large vitamin (as seen to the right), attaches to the heart with small tines and delivers electrical impulses that pace the heart. Thanks to its size and wireless technology, the Micra TPS does not require
leads under the patient’s skin. As such, the Micra TPS eliminates potential sources of complications that may be associated with more traditional pacemakers. Artist’s renderings comparing the Micra TPS and a traditional pacemaker when implanted are shown below.
Following what Medtronic describes as “the largest and longest clinical evaluation of leadless pacing patients to date,” the company released several statistics from its Micra TPS Global Clinical Trial that highlight the device’s long-term successes, including:
- 96% freedom-from-complication rate
- When compared to traditional pacemaker systems, the risk of
- major complications was reduced by 48% across all patient subgroups including age, gender and comorbidity
- hospitalization was lowered by 47%, and
- revision procedures was 82% lower
- The battery is projected to last an average of 12 years, based on data from 644 patients who have had the device for at least 12 months.
Regarding these results, John Liddicoat, M.D., senior vice president at Medtronic, stated:
The Micra TPS continues to deliver safe and effective pacing, while also providing a less invasive alternative to conventional pacemakers . . . . The Micra TPS has also shown a significant reduction in healthcare utilization compared to conventional pacemakers, which is promising for clinicians looking to adopt cost-effective therapies to improve patient outcomes.
These statistics follow preliminary results published in the New England Journal of Medicine in November 2015, showing that the Micra TPS was successfully implanted in 99.2% of patients. Medtronic interprets the studies as demonstrating consistent and sustained results from early performance through 12-month follow-up.
Dr. John Hummel, a cardiologist who participated in the clinical trials, explains his view that Medtronic’s wireless pacing technology is the future of pacemaker therapy.
We are looking at the beginning of the future . . . . We will no longer pace the heart in the way we have in the last 20 to 30 years. This is fundamentally a paradigm shift in how we’ll deliver this therapy.
The Micra TPS was awarded its CE Mark in April 2015. Additionally, the device was approved by the FDA for use in the United States in April 2016. The device is presently the only leadless pacemaker approved for use in both the United States and Europe.
Hackers Steal 600K Records from Health Care Firms – Could Your Wearable Device Be Next?
Security firm InfoArmor published a report in late July 2016 stating that a group of attackers infiltrated American health care institutions, stole at least 600,000 patient records and attempted to sell more than 3 terabytes of that associated data. In an interview with eWeek, chief intelligence officer Andrew Komarov noted that the hackers he investigated were able to compromise different health care institutions such as private clinics, vendors of medical equipment, and suppliers. Once inside the compromised systems, the hackers were able to take personally identifiable information and medical data, including imaging data (as shown to the right).
Komarov’s research should come as no surprise in view of a report issued by the Brookings Institute in May 2016 reporting that 23% of all data breaches occur in the healthcare industry. In fact, nearly 90% of healthcare organizations had some sort of data breach between 2013 and 2015, costing the healthcare industry nearly $6.2 billion.
According to a report done by Bloomberg BNA, while a number of legal mandates exist (e.g. the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology Certification Program, and the Food and Drug Administration’s (FDA) premarket review), the existing guidelines are limited. Furthermore, medical devices face certain unique cybersecurity pitfalls. For example, while HIPAA applies to protect health information regardless of where it’s stored, protected health information that exists on disposed of or nonfunctional medical devices can be overlooked.
Connected medical devices (i.e., medical devices that can transmit information through the internet or a networked system) also pose unexpected risks and challenges. For example, the ability for hackers to remotely access connected medical devices can hypothetically result in significant threats to patient health and safety. A 2012 episode of the television show Homeland featured a character hacking into and manipulating the pacemaker of the fictional vice president. While such situations seem far-fetched, in an interview on “60 Minutes,” it was revealed that Vice President Dick Cheney’s doctor had actually disabled the wireless functionality of his heart implant, fearing that it might be hacked in an assassination attempt.
While such fears may seem fueled by paranoia, recent studies have shown that such security threats may be a real concern. Bloomberg Businessweek reported in November 2015 that the Mayo Clinic engaged a number of high-profile “white hat” hackers to conduct a study of cybersecurity vulnerabilities in their medical devices. These “white hat” hackers worked on a number of different medical devices, including things such as cardiac monitors, infusion pumps, and hospital beds. In one alarming example, one hacker was able to gain control of an infusion pump – the Hospira Symbiq Infusion System – and was able to remotely cause it to deliver a potentially lethal dose of medication. Shortly thereafter, the FDA issued a safety notice recommending a recall and the stopped usage of the aforementioned pump.
With increasing concerns about cybersecurity, as discussed on this blog previously, the FDA is currently seeking comment on proposed guidelines that outline when software changes to medical devices would require manufacturers to submit a premarket notification.
FDA Approves First App-Based Pacemaker Monitor
Medtronic, a medical device manufacturer based in Dublin, Ireland, recently announced FDA approval and U.S. commercial launch of its MyCareLink Smart Monitor, the first app-based remote monitoring system for implantable pacemakers.
According to Medtronic, the MyCareLink Smart Monitor includes a handheld portable device reader paired with a MyCareLink Smart mobile app on a smartphone or tablet. The portable device reader receives pacemaker data (when placed in close proximity to the implanted device), and communicates with the mobile app on a smartphone. The data can then be transmitted to the patient’s physician or clinic (e.g., through cellular or Wi-Fi service). The MyCareLink Smart Monitor also allows patients to create personal profiles on the MyCareLink Connect Website and receive reminders, confirmations, and notifications about their data transmissions. HIT Consultant reports that the MyCareLink Smart Monitor will allow for faster treatment, reduced time in clinical care facilities, and potential improvements in survival rates.
Regarding the approval, Darrell Johnson, Vice President and General Manager of the Connected Care business in the Cardiac and Vascular Group at Medtronic stated:
“As a leader in remote cardiac monitoring, Medtronic is committed to providing cardiac patients with the latest technology to improve their health and make their lives easier, while helping to reduce the costs of healthcare. The MyCareLink Smart Monitor is just the first of many innovative solutions we are developing that leverage smart technology to increase patient engagement.”
Medtronic Acquires Surgical Site Infection Developer TYRX for $160 million
According to a Medtronic press release, Medtronic is acquiring TYRX, Inc. for an initial payment of $160 million plus potential future milestones. According to TYRX’s website, TYRX is the developer and manufacturer of “innovative, implantable, combination drug+device products that utilize novel biomaterials.”
According to TYRX’s website, the company has developed the recently FDA-cleared AIGISRx® R Fully Resorbable Antibacterial Envelope, designed to reduce surgical site infections associated with cardiac implantable electronic devices, such as AICDs. Additionally, TYRX’s website also describes their AIGISRx® N Antibacterial Envelope, for use with spinal cord neurostimulators.
The press release quotes Pat Mackin, President of the Cardiac Rhythm Disease Management business and Senior Vice President at Medtronic:
“While the risk of infection from an implanted pacemaker or defibrillator is low for most patients, repeated operative procedures after the initial device implant are associated with a substantial incremental risk of infection. This is estimated to cost the U.S. healthcare system more than $1 billion per year . . . . TYRX has developed an innovative, proven technology to reduce infection risk, making the procedure safer for patients and removing significant costs from the healthcare system.”
The press release also quotes TYRX President and CEO Robert White: “We look forward to joining Medtronic as part of a combined portfolio that can positively impact outcomes for patients by reducing implant-related infections, and bring value to our customers.”
Share
