http://www.digitaljournal.com/life/health/recall-500-000-internet-controlled-pacemakers-over-safety-fears/article/502681

Recall — 500,000 Internet-controlled pacemakers over safety fears

Posted Sep 17, 2017 by Karen Graham
Nearly 500,000 pacemakers have been recalled by the U.S. Food and Drug Administration (FDA) due to fears that their lax cybersecurity could be hacked to run the batteries down or even alter the patient’s heartbeat, resulting in death.
An artificial pacemaker (serial number 1723182) from St. Jude Medical  with electrode.
An artificial pacemaker (serial number 1723182) from St. Jude Medical, with electrode.
Steven Fruitsmaak
In May this year, Digital Journal reported on a study done by security firm, California-based WhiteScope. The study came out shortly after the FDA admitted that some pacemakers and other cardiac devices are vulnerable to hacking.
In the WhiteScope study, over 8,000 "bugs," or vulnerabilities in codes were found that hackers can exploit. All four manufacturers' devices had major problems, including software systems that weren't up to date and storage of private patient information that was not encrypted.
One big vulnerability found by WhiteScope was the inclusion of third-party components (libraries) that could potentially be accessed by hackers, allowing changes to be made to the way the pacemakers operate. They found in many cases, there was no mapping of the firmware images, allowing for an attacker to write arbitrary commands to the memory.
From the implantable device (pacemaker)  data flows to the physician s office  or in the case of an ...
From the implantable device (pacemaker), data flows to the physician's office, or in the case of an implanted defibrillator, the data can go from the operating room to the physician programmer and on to the patient support network. But all aspects of the system are vulnerable.
WhiteScope
FDA issues recall of Abbott / St Jude Medical’s embedded pacemakers
The FDA identified six types of pacemakers that includes the Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure, all made by health tech firm Abbott and sold under the St Jude Medical brand. All of the devices are radio-controlled implantable cardiac pacemakers, usually fitted to patients with slow or irregular heartbeats, as well as those recovering from heart failure, reports The Guardian.
The recall doesn't mean that the pacemakers will have to be surgically removed, an expensive and invasive medical procedure for the 465,000 people with the pacemakers in the U.S. Instead, the manufacturer has issued a firmware update which will be applied by medical staff to patch the security holes.
Robert Ford, executive vice president, Medical Devices, Abbott, said: “Connected devices are having a significant positive impact for patients and their health. To further protect our patients, Abbott has developed new firmware with additional security measures that can be installed on our pacemakers."
Implantable pacemaker
Implantable pacemaker
Steven Fruitsmaak
Abbott has since told the BBC that a further 280,000 devices are affected elsewhere. However, Abbott states there have been no reports of any of its devices being hacked, and the U.S. Department of Homeland Security has also advised that unauthorised access of the devices would "require a highly complex set of circumstances."
Abbott update is available now
The FDA has approved the update developed by Abbott, which requires any device attempting to access the implanted pacemaker to have authorization first. For the patient, the update requires about three minutes to install. Abbott states that during this time the pacemaker will operate in a back-up mode, with essential features remaining available.
The update requires an in-person visit to the healthcare provider for installation of the update and Abbott is telling patients that they should speak to their doctor about whether they may need to receive the update. As a precaution, Abbott is recommending that patients get the update installed where temporary pacing and a pacemaker generator change are available.