In May this year, Digital Journal reported on a study done by security firm, California-based WhiteScope. The study came out shortly after the FDA admitted that some pacemakers and other cardiac devices are vulnerable to hacking.
In the WhiteScope study, over 8,000 “bugs,” or vulnerabilities in codes were found that hackers can exploit. All four manufacturers’ devices had major problems, including software systems that weren’t up to date and storage of private patient information that was not encrypted.
One big vulnerability found by WhiteScope was the inclusion of third-party components (libraries) that could potentially be accessed by hackers, allowing changes to be made to the way the pacemakers operate. They found in many cases, there was no mapping of the firmware images, allowing for an attacker to write arbitrary commands to the memory.
FDA issues recall of Abbott / St Jude Medical’s embedded pacemakers
The FDA identified six types of pacemakers that includes the Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure, all made by health tech firm Abbott and sold under the St Jude Medical brand. All of the devices are radio-controlled implantable cardiac pacemakers, usually fitted to patients with slow or irregular heartbeats, as well as those recovering from heart failure, reports The Guardian.
The recall doesn’t mean that the pacemakers will have to be surgically removed, an expensive and invasive medical procedure for the 465,000 people with the pacemakers in the U.S. Instead, the manufacturer has issued a firmware update which will be applied by medical staff to patch the security holes.
Robert Ford, executive vice president, Medical Devices, Abbott, said: “Connected devices are having a significant positive impact for patients and their health. To further protect our patients, Abbott has developed new firmware with additional security measures that can be installed on our pacemakers.”
Abbott has since told the BBC that a further 280,000 devices are affected elsewhere. However, Abbott states there have been no reports of any of its devices being hacked, and the U.S. Department of Homeland Security has also advised that unauthorised access of the devices would “require a highly complex set of circumstances.”
Abbott update is available now
The FDA has approved the update developed by Abbott, which requires any device attempting to access the implanted pacemaker to have authorization first. For the patient, the update requires about three minutes to install. Abbott states that during this time the pacemaker will operate in a back-up mode, with essential features remaining available.
The update requires an in-person visit to the healthcare provider for installation of the update and Abbott is telling patients that they should speak to their doctor about whether they may need to receive the update. As a precaution, Abbott is recommending that patients get the update installed where temporary pacing and a pacemaker generator change are available.