Patients Face Firmware Updates To Prevent Pacemaker Hacking

Almost half a million pacemakers implanted in patients with heart disease have been recalled because of a scary and shocking scenario: The life-saving devices could be tampered with remotely by computer hackers – pacemaker hacking is becoming a possibility.

The U.S. Food and Drug Administration released a safety alert in August of 2017 about potential pacemaker hacking, stating the potential for personal harm. The safety alert, titled “Implantable Cardiac Pacemakers by Abbott (formerly St. Jude Medical): Safety Communication – Firmware Update to Address Cybersecurity Vulnerabilities,” immediately grabbed headlines.

Pacemaker Hacking Fears Stoked by FDA

“White hat hackers have previously pointed out the risks with connected medical devices,” according to an article in Fortune titled “465,000 Pacemakers Recalled on Hacking Fears.” “In its announcement, the FDA noted that this vulnerability could allow third parties to rapidly drain the pacemaker’s battery or adjust the operation of the device.”

Josh Corman, director of the Atlantic Council’s Cyber Statecraft Initiative, which focuses on the public impact of cybersecurity vulnerabilities, said the threats involving such medical devices are real.

“Corman says people should not have a crisis of confidence that imperils future medical breakthroughs, despite the reality that nothing is unhackable,” CNN Money reports in an article titled “Over half a million hackable pacemakers can now be fixed.” “Instead, he says, it’s important to determine what connectivity is actually needed, and balance it with acceptable risks.”

The fix actually is easy and takes no more than three minutes, although it will require everyone affected to make an appointment with his or her doctor. The corrective action is a firmware update.

“The FDA and Abbott do NOT recommend prophylactic removal and replacement of affected devices,” the FDA states in the safety alert. “Print or digitally store the programmed device settings and the diagnostic data in case of loss during the update.

After the update, confirm that the device maintains its functionality, is not in backup mode, and that the programmed parameters have not changed.”

The FDA stated that no injuries have been reported yet but made clear the danger of that happening in the future.

“Many medical devices – including St. Jude Medical’s implantable cardiac pacemakers – contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits,” the safety alert states. “As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”

Pacemaker Hacking Scenarios Explained

The scary and shocking scenario might play out like this: A computer hacker gains access to an implanted pacemaker and changes its programmed data, resulting in improper pacing – making the heart beat too fast or too slow – depleting the battery in the process. While the FDA’s safety alert is limited to pacemakers, there is no reason bad actors are unable to gain access to other devices connected to the Internet. The firmware of these devices forms the basis of their operating systems.

Included in the recall list are the Accent DR RF, Accent MRI, Accent SR RF, Allure Quadra RF, Allure RF, Anthem RF, Assurity, Assurity MRI and Quadra Allure MP RF.

“All industries need to be constantly vigilant against unauthorized access,” Robert Ford, Abbott’s executive vice president of medical devices, said in a press release titled “Abbott Issues New Updates for Implanted Cardiac Devices.” “This isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”

The topic of hacking and health care is not a new one. In 2013, former Vice President Dick Cheney revealed on CBS’ 60 Minutes he disabled a feature on his defibrillator that enabled it to be connected to Wi-Fi out of fear of being assassinated by terrorists. Also in 2013, the FDA and the Industrial Control Systems Cyber Emergency Response Team, which works to reduce the risks surrounding 16 critical-infrastructure sectors in the United States, came out with dual studies not only on pacemakers and defibrillators but on drug-infusion pumps, patient monitors and ventilators, as well – all containing passwords. A blog later published the findings.

“Pacemaker programmers do not authenticate to pacemaker devices,” the blog, titled “Understanding Pacemaker Systems Cybersecurity,” states. “Any pacemaker programmer can reprogram any pacemaker from the same manufacturer.  This shows one of the areas where patient care influenced cybersecurity posture.”

Patients and physicians are urged to contact Abbott’s customer hotline for technical support. The number is 800‐722‐3774 and patients can call with questions regarding the firmware update. They additionally are urged to report any adverse events via the FDA’s MedWatch Online Voluntary Reporting Form.