Almost half a million pacemakers have been recalled by the U.S. Food and Drug Administration (FDA) due to fears that their lax cybersecurity could be hacked to run the batteries down or even alter the patient's heartbeat.
The recall won't see the pacemakers removed, which would be an invasive and dangerous medical procedure for the 465,000 people who have them implanted: instead, the manufacturer has issued a firmware update which will be applied by medical staff to patch the security holes.
Six types of pacemaker, all made by healthtech firm Abbott and sold under the St Jude Medical brand, are affected by the recall. They are all radio-controlled implantable cardiac pacemakers, typically fitted to patients with slow or irregular heartbeats, as well as those recovering from heart failure.
There have been no reports of unauthorized access to any patient's implanted device, according to Abbot. The FDA says that the vulnerability allows an unauthorized user to access a device using commercially available equipment and reprogram it. The hackers could then deliberately run the battery flat, or conduct "administration of inappropriate pacing." Both could, in the worst case, result in the death of an affected patient.
The U.S. Department of Homeland Security said that "it is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update”.
Robert Ford, the executive vice president of medical devices at Abbott, said: "All industries need to be constantly vigilant against unauthorized access. This isn't a static process, which is why we're working with others in the healthcare sector to ensure we're proactively addressing common topics to further advance the security of devices and systems."
It was the second round of updates for the heart implants that Abbott has announced since buying medical device maker St. Jude Medical earlier this year.
The weaknesses were discovered by MedSec, a cybersecurity firm that specializes in researching vulnerabilities in the medical devices and healthcare industries. It's not the first weaknesses the company has found in St Jude Medical products, and it had previously been the target of a lawsuit from SJM for disclosing such vulnerabilities.
This is the second round of updates for the heart implants issued by Abbott since it acquired SJM in January this year.
MedSec hit headlines in 2016 for its unconventional approach to information security. On discovering flaws in St Jude Medical devices, it shared the information with an investment firm, Muddy Waters Capital, which then short-sold the stock, hoping to make money from the eventual financial hit the company would take when the issues were disclosed.
"We acknowledge that our departure from traditional cybersecurity practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action," the company's chief executive, Justine Bone, said at the time.
© 2017 Guardian Web under contract with NewsEdge/Acquire Media. All rights reserved.
Posted: 2017-09-22 @ 7:05am PT
Which models of Pacemakers are affected ? I have a St. Jude Model 2240.
Posted: 2017-09-19 @ 11:26am PT
The belief that no one has so far been harmed depends on what you read. Two men in Europe may or may not have died as a result of battery depletion. Read Dr. John Mandrola's 9-15 letter. Heaven forbid we pacemaker/ICD wearers should participate in the debate. Death by Merlin might be a nice title for all you learned writers; better than Dr. Mandrola's title (we call him PaPa for short). Too dramatic for you? Try wearing the devices and reading about this for months, maybe years. Thanks, St. Jude, for hiding information.