The Cyber Threats in a … Pacemaker?
Never mind the risks to email, bank accounts, or credit cards
If you or a loved one has a pacemaker or defibrillator — or if your doctor is recommending the device — there may be a few questions worth asking, including what brand of product to consider.
The U.S. Food and Drug Administration on Tuesday issued a warning about cybersecurity vulnerabilities associated with St. Jude Medical’s radio frequency-enabled implantable cardiac devices and the corresponding [email protected] transmitter. The warning follows another issue with the devices reported late last year.
The FDA, after months of reviews, officially confirmed it's possible for an outside entity to essentially hack into the device remotely. There have been no reports of any patients harmed by the cybersecurity risk — yet it's possible modified programming commands “could result in rapid battery depletion and/or administration of inappropriate shocks.”
A cybersecurity software patch will be automatically pushed to the [email protected] Transmitter, according to a St. Jude Medical press release. Patients need only be sure their transmitter remains plugged in and connected to the Merlin network to receive the update and any further patches and updates.
Patients relying on the transmitter should also know that their doctors are being encouraged to conduct in-office follow-up visits. Consult with a physician for routine care and follow-up.
Muddy Waters Capital, which initially raised concerns about St. Jude Medical's cybersecurity risk, issued the following statement Tuesday on its website: "After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters. This long-overdue acknowledgment, just days after completion of St. Jude's sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants."
In a Dec. 27, 2016, blog post on the FDA's website, Suzanne Schwartz, associate director for science and strategic partnerships, wrote, "We see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device's performance and functionality."
The FDA promises to advise manufacturers on cybersecurity issues moving forward.