Are you using Pacemaker device manufactured by Abbott Laboratories (previously St. Jude Medical)?
If yes, this article is especially for you.
One year ago, research firm Muddy Waters first said the St. Jude pacemakers were vulnerable to cyberattacks.
“These are part of planned updates we mentioned back in January, and further strengthen the security and device management tools for our connected cardiac rhythm management (CRM) devices,” Steele Flippin said of this week’s pacemaker update.
Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council and founder of the security organization I Am The Cavalry, said there are a lot of vulnerabilities in medical devices, and the research community is beginning to work more with manufacturers to identify and fix flaws.
“If we do find them, we could look at it as a reason not trust the devices, or we could look at it like we’re going from a mode of silent failures to one where we’re starting the process to inform smarter and better designs,” Corman said.
In May, cybersecurity researchers published a report highlighting thousands of vulnerabilities in four pacemaker manufacturers.
Corman says people should not have a crisis of confidence that imperils future medical breakthroughs, despite the reality that nothing is unhackable. Instead, he says, it’s important to determine what connectivity is actually needed, and balance it with acceptable risks.
To help physicians better understand medical device security when procuring new technology, his organization created a document of questions doctors can ask to see if companies are doing enough to secure devices.
“I’m hoping that what device makers and physicians get out of this is we shouldn’t just assume that connecting medical technology makes this better,” Corman said.
It is no surprise that Pacemaker, the small device that is implanted in the body of a patient to deal with life-threatening cardiac rhythmic issues are open to critical vulnerabilities. Now, Food and Drug Administration (FDA) has sent out a security notice that around 465,000 (half a million) Pacemaker devices are vulnerable to hack attacks and require a critical software update to protect them.
These existing vulnerabilities can allow hackers to modify the settings of a targeted device and turn it off which can be fatal for patients since Pacemakers (Pdf) use batteries to send electric signals to the heart to help it pump the right way. The pacemaker is connected to the heart by one or more wires.
“These vulnerabilities, if exploited, could allow an unauthorized user (i.e., someone other than the patient’s physician) to access a patient’s device using commercially available equipment.
This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the FDA wrote.
The Pacemakers under discussion were manufactured by Abbott Laboratories (previously St. Jude Medical).
To receive a firmware update to fix vulnerabilities in their device, patients must visit their doctors and healthcare provider in the United States while 280,000 devices are entitled to receive update outside the United States.
The list of vulnerable devices include:
Currently, there are no reports or indications of unauthorized access to any patient’s implanted device. Abbott, on the other hand, said it would also update the software embedded in pacemakers to reduce the risk of hacking.
In 2016, Muddy Waters released a report claiming that pacemakers and other implantable devices manufactured by St. Jude Medical are vulnerable to life threatening cyber attacks.
In return, St. Jude Medical not only rejected Muddy Waters’s report but also filed a lawsuit for defamation. However, FDA Homeland Security conducted an investigation and confirmed that Muddy Waters’s findings were legitimate.
In May this year, WhiteScope security researchers found thousands of critical security flaws in Pacemakers leaving them vulnerable to cyber attacks that can potentially bring about some fatal consequences since the attackers can even adjust the pacemaker should they choose to; posing a grave risk to the lives of patients.