The US Food and Drug Administration (FDA) has recalled nearly half a million pacemakers following fears that the devices could be hacked to deplete their batteries or even allow an attacker to remotely control the device’s functions.
The FDA has recalled a total of 465,000 pacemakers manufactured by healthcare provider Abbot (previously known as St. Jude Medical) in order to push a mandatory firmware update to patch multiple vulnerabilities in several classes of devices. The procedure will notably be non-invasive and will take as little of three minutes to push the upgrade. A total of six types of pacemakers, all developed by Abbot and sold under the St Jude Medical banner are affected. The devices are radio-controlled cardiac pacemakers fitted to patients with slow or irregular heartbeats with an implant under the skin in the upper chest area. The devices have insulated wires that go into the heart and are critical, life-saving devices.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the FDA wrote in an announcement.
Alarmingly, the authority also details what might happen if the vulnerability was exploited.
This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.
In both instances, the absolute worst case scenarios could result in the death of an affected patient.
The weaknesses were identified by cybersecurity firm MedSec, which specializes in finding vulnerabilities in medical devices and the healthcare industry.
A firmware update was developed by St. Jude Medical “to address these cybersecurity vulnerabilities”, the FDA added, in its public recall.
Robert Ford, executive vice president of medical devices at Abbot added:
All industries need to be constantly vigilant against unauthorised access. This isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.
Image credit: Pixabay.