The US Food and Drug Administration announced today that 465,000 pacemakers have a security vulnerability that could be exploited to make the device operate too quickly or deplete its batteries, and these devices need firmware updates to keep them from getting hacked.
“Many medical devices – including St. Jude Medical’s implantable cardiac pacemakers – contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates,” the recall said.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” it added.
The recall said potential hackers could harm patients by changing the programming of the pacemakers.
“This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the recall said.
The FDA said it has received no reports of anyone hacking the devices that are being recalled.
The update affects about 465,000 devices in the United States and another 280,000 devices outside the U.S., according to Abbott spokesperson Candace Steele Flippin.
“The pacemaker devices to which this update applies include the RF telemetry versions of the following devices in the U.S.: Accent SR RF™, Accent MRI™, Assurity™, Assurity MRI™, Accent DR RF™, Anthem RF™, Allure RF™, Allure Quadra RF™, and Quadra Allure MP RF™,” the company said on its website.
Patients with pacemakers will need to visit their heath care providers for a firmware update, which the FDA said will take about three minutes.
The pacemaker will not need to be removed, the FDA said.
“All industries need to be constantly vigilant against unauthorized access. This isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems,” said Robert Ford, the executive vice president of medical devices at Abbott.
Abbott said in a statement that patients are not likely to be hacked.
“The risk of hacking is extremely low – in fact, the U.S. Department of Homeland Security said that compromising the security of these devices would require a highly complex set of circumstances. The FDA and Abbott recommend that patients talk to their doctors during their next regularly scheduled visit about the firmware update,” the statement said.