This week, the FDA announced a firmware update for certain cardiac pacemakers, intended as a recall to reduce the risk of these devices getting hacked.
Implantable cardiac pacemakers from Abbott—formerly called St. Jude Medical—could be hacked and used to deliver shocks to users, according to filings in a court case against the medical device manufacturer in October 2016. The devices have been implanted in some 400,000 patients.
The case, brought against the manufacturer by MedSec and Muddy Waters, claimed that cyber attacks could disable the pacemakers, deplete their batteries, or even weaponize them to shock patients from 10 feet away.
"The pacemaker's authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications," the US Department of Homeland Security said in an advisory statement on Tuesday.
An attacker with high skill would be able to exploit these vulnerabilities, the department noted; however, there have been no reports of unauthorized access to a patient's device.
The firmware update includes a Battery Performance Alert for the devices that provides physicians with earlier warnings for the potential of battery depletion. It will also implement "RF wake-up" protections, and limit the commands that can be issued to pacemakers via RF communications. Additionally, the updated pacemaker firmware will prevent unencrypted transmission of patient information, according to the Department of Homeland Security.
The firmware update requires an in-person patient visit with a health care provider, the FDA noted. You can see which devices are affected here. There is a very low risk of an update malfunction during the process, including reloading of a previous firmware version due to incomplete data, a loss of currently programmed device settings, or a loss of device functionality, the FDA said.
Every pacemaker manufactured by Abbott beginning August 28 will have this update pre-loaded in the device, Abbott noted.
The FDA said it will continue to assess new information concerning the cybersecurity of these pacemakers, and will keep the public informed if its recommendations change.
While connected medical devices can offer more efficient, safe, and timely health care delivery, any device connected to the internet may have cybersecurity vulnerabilities, the FDA noted. Security experts predict a rise in Internet of Things (IoT) security breaches this year, making it extremely important for manufacturers to ensure devices are secure, and for enterprise and consumer users to have security protocols in place.
"Cybersecurity risks in networked medical devices are constantly evolving, which means medical device manufacturers and hospitals must be vigilant in the face of changing threats in order to protect patient safety," said William Maisel, acting director of the Office of Device Evaluation and chief scientist in the FDA's Center for Devices and Radiological Health, in an FDA press release. "Because all networked medical devices are potentially vulnerable to cybersecurity threats, the FDA has been working diligently with device manufacturers and other stakeholders to ensure the benefits of medical devices to patients continue to outweigh any potential cybersecurity risks."
The 3 big takeaways for TechRepublic readers
1. On Tuesday, the FDA announced a firmware update for cardiac pacemakers from manufacturer Abbott to reduce the risk of these devices getting hacked.
2. A court case against the manufacturer last year claimed that sophisticated hackers could disable the pacemakers, deplete their batteries, or weaponize them to shock patients from 10 feet away.
3. While connected medical devices can offer more efficient, safe, and timely health care delivery, any device connected to the internet may have cybersecurity vulnerabilities, the FDA noted.
- Hackable heart implants: St. Jude comes under fire for security risks (TechRepublic)
- IoT explosion: So many things, so little time to protect ourselves (ZDNet)
- Electronic health records: The new gold standard for cybercriminals (TechRepublic)
- St. Jude Medical heart devices come under attack in security lawsuit (ZDNet)
- Information security policy template (Tech Pro Research)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.