September 1, 2017 by

FDA Recalls Half a Million Pacemakers Due to Hacking Fears

The US Food and Drug Administration (FDA) has recalled nearly half a million pacemakers following fears that the devices could be hacked to deplete their batteries or even allow an attacker to remotely control the device’s functions.

The FDA has recalled a total of 465,000 pacemakers manufactured by healthcare provider Abbot (previously known as St. Jude Medical) in order to push a mandatory firmware update to patch multiple vulnerabilities in several classes of devices. The procedure will notably be non-invasive and will take as little of three minutes to push the upgrade. A total of six types of pacemakers, all developed by Abbot and sold under the St Jude Medical banner are affected.  The devices are radio-controlled cardiac pacemakers fitted to patients with slow or irregular heartbeats with an implant under the skin in the upper chest area. The devices have insulated wires that go into the heart and are critical, life-saving devices.

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the FDA wrote in an announcement.

Alarmingly, the authority also details what might happen if the vulnerability was exploited.

This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.

In both instances, the absolute worst case scenarios could result in the death of an affected patient.

The weaknesses were identified by cybersecurity firm MedSec, which specializes in finding vulnerabilities in medical devices and the healthcare industry.

A firmware update was developed by St. Jude Medical “to address these cybersecurity vulnerabilities”, the FDA added, in its public recall.

Robert Ford, executive vice president of medical devices at Abbot added:

All industries need to be constantly vigilant against unauthorised access. This isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.