Almost half a million people in the U.S. must update pacemakers that are vulnerable to being hacked.
On Tuesday, the FDA announced a recall for a number of implantable pacemakers manufactured by Abbott Laboratories, formerly St. Jude Medical. The agency says patients could be at risk of someone taking advantage of cybersecurity holes in vulnerable pacemakers.
Now, 465,000 people in the U.S. with these implanted devices must visit their healthcare provider to receive a firmware update that can fix the vulnerabilities. About 280,000 devices are eligible for the update outside the U.S., Candace Steele Flippin, a spokesperson for Abbott said.
The security flaws could allow a hacker to access the device and change the settings or shut it off.
“This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the FDA wrote.
There have been no incidents of hackers exploiting the flaw.
One year ago, research firm Muddy Waters first said the St. Jude pacemakers were vulnerable to cyberattacks.
In January, Abbott issued a security update for other vulnerable St. Jude cardiac devices connected to the Merlin@home Transmitter.
“These are part of planned updates we mentioned back in January, and further strengthen the security and device management tools for our connected cardiac rhythm management (CRM) devices,” Steele Flippin said of this week’s pacemaker update.
Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council and founder of the security organization I Am The Cavalry, said there are a lot of vulnerabilities in medical devices, and the research community is beginning to work more with manufacturers to identify and fix flaws.
“If we do find them, we could look at it as a reason not trust the devices, or we could look at it like we’re going from a mode of silent failures to one where we’re starting the process to inform smarter and better designs,” Corman said.
In May, cybersecurity researchers published a report highlighting thousands of vulnerabilities in four pacemaker manufacturers.
Corman says people should not have a crisis of confidence that imperils future medical breakthroughs, despite the reality that nothing is unhackable. Instead, he says, it’s important to determine what connectivity is actually needed, and balance it with acceptable risks.
To help physicians better understand medical device security when procuring new technology, his organization created a document of questions doctors can ask to see if companies are doing enough to secure devices.
“I’m hoping that what device makers and physicians get out of this is we shouldn’t just assume that connecting medical technology makes this better,” Corman said.
This story has been updated to clarify the FDA announced, not issued, the recall.