Nearly a half-million cardiac patients with implanted pacemakers are being urged to install a software update intended to patch potentially fatal cybersecurity vulnerabilities.
The Food and Drug Administration touted a firmware update Tuesday for implantable heart devices sold by Abbott Labs, formerly St. Jude Medical, roughly a year after cybersecurity researchers first raised concerns about its line of radio-frequency-enabled pacemakers.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the agency said in a safety notice.
“This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the FDA said.
Pacemaker patients with affected products can patch the vulnerabilities by installing the firmware released Tuesday, the FDA said. The update process takes approximately three minutes to complete and must be done during an in-person visit with a health care provider, according to its safety notice.
About 465,000 implanted cardiac devices are vulnerable to the cyberattacks until updated, according to the FDA.
Short-selling firm Muddy Waters released a report in August 2016 addressing supposed cybersecurity vulnerabilities affecting St. Judge products, but the health firm contested its claims and sued in Minnesota federal court for defamation. St. Jude ultimately recalled some of its devices for a battery depletion defect in October, however, and Abbott released the first of two software updates involving its cardiac implants shortly after acquiring the firm in January.
“All industries need to be constantly vigilant against unauthorized access,” added Robert Ford, Abbott’s executive vice president of Medical Devices. “This isn’t a static process, which is why we’re working with others in the health care sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”
Neither the FDA nor Abbott are aware of any instances of patient harm linked to the vulnerabilities, they said. The U.S. Department of Homeland Security said in a January advisory that only an “attacker with high skill” would be able to exploit one of the bugs.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.