Pacemaker Panic

By on Oct 6, 2017 in News, Technology

The FDA recently released an emergency notice last recalling several implantable pacemakers due to recently discovered cyber security vulnerabilities. According to the FDA, devices manufactured by Abbott’s (formerly St. Jude Medical) could be compromised by hackers with exploits that would allow a third party to affect the speed of the device or deplete its batteriesshutterstock_519010477. Fortunately, a simple firmware update will protect patients from any outside interference.

Frequency Failure

According to the FDA, hackers could take advantage of radio-frequency-enabled pacemakers to compromise the device’s authentication algorithm. Under the right circumstances, bypassing the device’s authentication key and time stamp would allow a nearby attacker to send “unauthorized commands” to the pacemaker via RF communications. Additionally, because the number of “RF wake-up” commands are not limited by these specific pacemakers, a third-party could repeatedly send commands to the device to drain its battery life. Both the Accent and Anthem pacemakers could also potentially reveal patient information to unauthorized parties.

As of yet, there are no reports of any real-world infiltrations, and both the FDA and the Department of Homeland Security confirmed the exploit code is “not publicly available.” The Department of Homeland Security warns potential hackers would need to be physically near their intended target. Additionally, the Department of Health promises only “an attacker with high skill would be able to exploit these vulnerabilities.”

Nevertheless, the potential for real harm exists, especially because the flaw in the device’s software would allow a third party to slow or stop the device. Even though the possibility of of injury or death remains remote, influencing the speed or power on a pacemaker could result in life-threatening injury, thus spurring the FDA’s recall action.

“These vulnerabilities, if exploited, could allow an unauthorized user (i.e., someone other than the patient’s physician) to access a patient’s device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the FDA warned.

Software Solution

The FDA estimates over 460,000 devices could be implicated, all of them either traditional pacemakers or cardiac resynchronization therapy pacemakers (CRT-P). The brands affected include Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure. Implantable cardiac defibrillators (ICDs) and cardiac resynchronization ICDs (CRT-Ds) were not implicated in the possible hack.

Thankfully, a firmware update designed to limit commands and prevent unencrypted transmission of patient information can be loaded onto the device. Using the Merlin PCS programmer, healthcare providers can upload the firmware update directly on to the implanted device, though the FDA suggests patients consider all the risks before making a decision.

“It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cyber security attack along with the risk of performing a firmware update,” counsels the FDA’s recall notice. “Implementation of the firmware update is to be determined based on the physician’s professional judgment and patient management considerations.”

Moving forward, all devices manufactured after August 28th, 2017 will operate on the updated software. In the meantime, both a hotline (1-800-722-3774) and website are available to answer questions and address concerns.