The US Food and Drug Administration (FDA) has recalled almost half a million pacemakers because they were found to be vulnerable to cyber threats. The recall comes months after the FDA conducted an investigation into the affected devices that revealed a number of non-compliance issues. Threats include flaws in cybersecurity that could allow hackers to run the batteries down or even alter the heartbeats of 465,000 patients.
The recall won’t require the pacemakers to be removed. Instead, the manufacturer has issued a firmware update which will be applied by healthcare providers to patch the security holes. The FDA has stated there are no known reports of unauthorized access to any patient’s implanted device.
Six types of pacemakers, made by healthtech firm Abbott and sold under the St Jude Medical brand, are affected by the recall. They are all radio-controlled implantable cardiac pacemakers, typically fitted to patients with slow or irregular heartbeats, as well as those recovering from heart failure.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the FDA said.
“This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”
The firmware update to the affected pacemaker's is now available. To install the update, the patient must visit their healthcare provider. While the health care provider is doing the three-minute update, the pacemaker will move to backup mode as its life-saving features will remain available.
This is the second round of updates for the heart implants issued by Abbott since it acquired Saint Jude’s Medical in January this year.
The FDA will continue to monitor the situation, and any pacemaker made after Aug. 28 will have the firmware update pre-loaded.
While this is the first time that the FDA has acted to protect patient health through a voluntary device recall, it is not the first time medical devices have been investigated by the FDA. Since 2015 the FDA has issued alerts and what it called “guidance” on the post-market management of cybersecurity for medical devices. However, a recent study revealed that only 51 percent of medical device manufacturers and 44 percent of healthcare organizations currently follow the FDA guidance to reduce or mitigate device security risks.
Though “homicide by medical device” may seem far-fetched for now, it’s not completely out of the realm of possibility. Thought leaders in the healthcare cybersecurity industry have been pushing for greater governance of medical devices as more and more security vulnerabilities and backdoors to these devices have been discovered.
“The potential for immediate patient harm arising from hackers gaining control of a pacemaker is obvious, even if the ability to do so on a mass scale is theoretical,” points out Matt Fussa, Legal Director for Cisco. “For example, imagine a ransomware attack that threatens to turn off pacemakers unless a bitcoin ransom is paid. In this week’s recall alone, 465,000 devices are affected. An attack of this type would pose an immediate risk to all of these patients and would likely overwhelm the ability to respond.”
Robert Ford, the executive vice president of medical devices at Abbott, said: “All industries need to be constantly vigilant against unauthorised access. This isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”