500,000 Pacemakers Recalled by the US FDA Owing to Hacking Risks
The US FDA (Food and Drug Administration) has recalled almost half a million pacemakers following fears pertaining to hacking. They fear that laxity in cybersecurity could lead to these pacemakers being hacked. Such hacking attacks could be targeted at running the batteries down or altering the patient’s heartbeat and may prove really fatal.
The pacemakers, however, won’t be removed for the 465,000 people who have them implanted; this because removing the pacemakers would be an invasive and dangerous procedure for them. The manufacturer has instead issued a firmware update which the medical staff would need to apply so as to patch the security holes.
The recall would affect six types of pacemakers that are made by healthcare firm Abbot and sold under the St. Jude Medical brand. These radio-controlled implantable cardiac pacemakers are fitted to those patients who have slow or irregular heartbeats and also to those who are recovering from heart failure.
However, there hasn’t been any unauthorized access to any implanted device. The Guardian reports- “There have been no reports of unauthorised access to any patient’s implanted device, according to Abbot.” The report further says about what hacking one of these pacemakers could lead to- “The FDA says that the vulnerability allows an unauthorised user to access a device using commercially available equipment and reprogram it. The hackers could then deliberately run the battery flat, or conduct “administration of inappropriate pacing”. Both could, in the worst case, result in the death of an affected patient.”
The Guardian also quotes the US Department of Homeland Security statement, which says that it is “…recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update“
Robert Ford, the Executive Vice President, Medical Devices at Abbot says- “All industries need to be constantly vigilant against unauthorized access…This isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”
The issue was discovered by cybersecurity firm MedSec, which researches on vulnerabilities pertaining to the healthcare industry and medical devices. (MedSec and St. Jude Medical are already at loggerheads over an earlier disclosure of such vulnerabilities).
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.