Underestimated risk

Cybersecurity threat to remote monitoring devices

Remote monitoring devices and pacemakers supporting patients with cardiac conditions such as heart failure could be vulnerable to cyberattack, according to leading expert Dr Tuvia Ben Gal. While acknowledging the overall therapeutic benefits of such devices, he remains concerned that not enough attention is given to addressing the potential cybersecurity risk.

Report: Mark Nicholls

portrait of Tuvia Ben Gal
Dr Tuvia Ben Gal

Major issues are manufacturers often not factoring in cybersecurity, medical guidelines overlooking the matter, and healthcare providers being uninformed about the security risks and unfamiliar with the methods for evaluating those risks, he pointed out during a session at the ESC Digital Summit 2021. 

Focusing on telemedicine, monitoring devices, pacemakers, implantable cardioverter-defibrillators (ICDs), cardiac resynchronization therapy (CRT) devices, and left ventricular assist devices (LVADs), he explained that modern communication technologies for the monitoring and management of patients improve outcomes and reduce costs. The devices allow for monitoring and assessment of a patient’s condition by both unidirectional data transmission from the patient to the healthcare provider and bidirectional communication features. The latter are designed to facilitate active intervention or electronical manipulation of the device with the aim of improving the clinical condition of the patient is not yet being applied. However, due to unresolved security issues, this also opens potential gateways for unauthorised access. Dr Ben Gal cautioned: “While healthcare providers are aware of the clinical benefits and downsides of medical devices, they are frequently uninformed of the security risks and unfamiliar with the methods for evaluating those risks.” As a result, many patients remain uninformed because they rely on information supplied by the medical team.

Recommended article


IT security

Cyber attack: Be prepared!

Ransomware attacks are a highly profitable and flourishing business in the 21st century. They can have a drastic impact on hospitals, clinical laboratories, and patients. The Sophos Group, a British security hard/software company, has reported survey responses from 328 healthcare IT managers in 30 countries.

Gap in guidelines

Expressing concern that cybersecurity is not addressed in guidelines, Ben Gal posed the question of whether the security risk outweighs the clinical benefit of the device. During the ESC presentation, he outlined what is needed for protection against these security risks to ensure safe telemedicine implementation. These included: 

  • collaboration between all parties using remote technology; 
  • awareness of cybersecurity issues in telemedicine among the medical team; 
  • establishment of institution-wide security standards, such as for data encryption; 
  • frequent software updates and antivirus data scanning; 
  • using proper authentication; and 
  • creating and adopting local cybersecurity regulations.

While he acknowledged the role of public video conferencing platforms, especially during the first phase of the pandemic, the IT expert stressed that going forward, only products specifically assigned for healthcare video conferencing with adequate cybersecurity should be used. 

To illustrate his point, Dr Ben Gal expanded on devices used to monitor heart failure patients. Covering a range of parameters, such as haemodynamic and clinical data, pulmonary artery and left atrial pressure, bodyweight, and lung water content, these devices transmit captured data to a healthcare centre. This data is potentially vital, he explained, as it can initiate a change in therapy, if, for example, a certain threshold in one of the parameters is crossed. Therefore, the data must be protected, not only from transmission-related corruption, but also ransomware attacks encrypting the medical data and demanding payment to unencrypt the information withheld. Any such damage to the data’s integrity can have serious consequences such as interrupting device performance, impacting patient management and potentially causing harm, Dr Ben Gal pointed out. Manufacturers and companies therefore carry a great responsibility to ensure appropriate security of the monitoring device and should be encouraged to publish data on security tools for open review.

Establishing a (safe) remote kill switch for ICDs

New pacemakers should include enhanced cybersecurity properties, enabling bidirectional communication between the patient and the medical team

Tuvia Ben Gal

Newer pacemaker models, which can transmit data by unidirectional communication for remote follow-up, are equally vulnerable to cyberattack, the expert cautioned – although he noted that fortunately, no cyberattacks have been reported on pacemaker technology so far. 

During the Covid-19 pandemic, another issue has emerged: At a certain point, ICDs must be deactivated for increasingly frail cardiac patients or those developing terminal illness, to prevent the implant from automatically administering dangerous shocks. However, most devices require the patient to be transported to a hospital for the deactivation – a considerable risk, especially for terminally-ill patients. Dr Ben Gal said therefore pointed out the need for remote deactivation functionality of the devices, with strict security procedures in place. “New pacemakers should include enhanced cybersecurity properties, enabling bidirectional communication between the patient and the medical team,” he said. 

The benefits outweigh the risks

The expert also stated the need to enhance cybersecurity properties in LVADs, which use bidirectional communication for remote device adjustments to help reduce complications and hospital visits. 

While there was a risk of cyberattack, Dr Ben Gal concluded that the benefits these sophisticated devices bring for heart failure patients still significantly outweigh the drawbacks, greatly helping upgrade the quality of care. However, he added: “Medical agencies should provide clear regulations for cybersecurity in the manufacturing process of every medical device.” 


Dr Tuvia Ben Gal is the director of the Heart Failure Unit of the Cardiology Department at Rabin Medical Center, Petah Tikva, and Tel Aviv University, Israel, where he is author of multiple peer-reviewed scientific papers and presents works at many national and international conferences.


Read all latest stories

Related articles


CeBIT’s theme: Work and Life with the Cloud

The new cloud hovering over the IT industry bodes pleasant and sunny business weather. Reason enough for the organisers of CeBIT 2011, the large international IT event held in Hanover this March, to…


On scandinavian tracks

The World of Health IT 2008 Conference & Exhibition is an innovative and forward-thinking event designed to deepen the understanding of specific healthcare ICT markets in Europe.


A new tool for biochemical analyses

Although telemedicine could improve the quality of life of patients with chronic liver diseases, viable home care systems are still lacking. However, within the EU-project ‘d-LIVER’…

Related products

Siemens Healthineers - teamplay myCare Companion

Business Intelligence

Siemens Healthineers - teamplay myCare Companion

Siemens Healthineers
Image Information Systems – iQ-WEB RIS


Image Information Systems – iQ-WEB RIS

IMAGE Information Systems Europe GmbH
Nexus/Chili – Telemedicine Record

Portal Solution

Nexus/Chili – Telemedicine Record

Nexus/Chili GmbH
Swissray - Cortex Protection Software

Utilities / Add-ons

Swissray - Cortex Protection Software

Swissray Technologies AG
Agfa HealthCare – Dose

Dose Management Systems

Agfa HealthCare – Dose

Agfa HealthCare
Agfa HealthCare – DR 14e detector

DR Retrofit

Agfa HealthCare – DR 14e detector

Agfa HealthCare
Subscribe to Newsletter