The US Food and Drug Administration has recalled nearly half a million pacemakers, out of concern that they could be hacked, draining the battery life or even interfering with a patient’s heartbeat. Instead of the invasive process of removing the pacemakers, the recall will involve firmware updates to improve cybersecurity for the devices, applied by medical staff.
The recall pertains to six types of pacemakers from the healthtech company Abbott, sold under the brand St. Jude Medical. The radio-controlled, implantable pacemakers are normally given to patients with irregular or slow heartbeats, or who are recovering from heart failure.
Abbott says there have been no reports of unauthorized access to any of the devices. Yet the FDA has warned that they are vulnerable to hackers, who could reprogram the devices using commercially available technology. They could either run down the battery life or conduct “administration of inappropriate pacing.” Either scenario could potentially lead to the death of a patient.
The US Department of Homeland Security stated that “it is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update.”
Abbott’s executive vice president, Robert Ford, explained:
“All industries need to be constantly vigilant against unauthorized access. This isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”
Another statement from Abbott argued that the level of risk was nonetheless minimal, saying:
“The risk of hacking is extremely low – in fact, the U.S. Department of Homeland Security said that compromising the security of these devices would require a highly complex set of circumstances. The FDA and Abbott recommend that patients talk to their doctors during their next regularly scheduled visit about the firmware update.”
The vulnerabilities were discovered by cybersecurity firm MedSec, which specializes in finding security weaknesses in medical devices and the healthcare industry. The firm has found vulnerabilities in St. Jude Medical products before, and was sued by St. Jude for disclosing them.
MedSec was a focus for headlines in 2016, for its unusual approach to cybersecurity. When it found earlier flaws in St. Jude devices, it disclosed them to Muddy Waters Capital, an investment firm which short-sold the company’s stock, in an effort to profit from the financial damage to St. Jude when the vulnerabilities were later revealed to the public.
At the time, MedSec’s chief executive Justine Bone said “We acknowledge that our departure from traditional cybersecurity practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action.”