U.S. company to update pacemaker software against hacking risks

Posted August 31, 2017

In particular, Abbott's pacemakers, formerly of St. Jude Medical, have been "recalled" by the US Food and Drug Administration (FDA) on a voluntary basis.

The FDA has approved a firmware update for the cardiac devices that requires an in-person visit with a healthcare provider, according to an alert from the agency.

Patients must visit their doctors to get the updates, which should take about three minutes.

The FDA notes that on August 23, it approved the firmware update "that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott pacemakers". The flaws in St. Jude Medical's RF-enabled implantable cardiac pacemakers could allow a hacker access to the patient's device to modify programming commands remotely. Neither organization recommends the prophylactic removal of the devices.

Medical device maker Abbott on Monday announced it is voluntarily recalling some 465,000 pacemakers to install a firmware update to patch cybersecurity vulnerabilities in the devices.

"Determine if the update is appropriate for the given patient based on the potential benefits and risks", the FDA instructs.

However, doctors have been advised by Abbott to update only if "appropriate given the risk of update for the patient". However, officials warned that there is always a potential issue with reloading previous version if the update is incomplete, a loss of programmed settings, loss of diagnostic data and a complete loss of device functionality.

There are now no known reports of patient harm for the 465,000 implanted devices in question, according to the FDA.

For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided.

All new pacemakers made from August 28 include the new firmware update.

One year ago, research firm Muddy Waters first said the St. Jude pacemakers were vulnerable to cyberattacks.

The patch comes eight months after Abbott released an update meant to fix a vulnerability with the device now providing pacemaker authorization, namely Merlin@home Transmitter. The device will run on backup mode during the process, but all life-sustaining features will still be available.

"These planned updates further strengthen the security and device management tools for our connected cardiac rhythm management devices", Abbott spokeswoman Candace Steele Flippin said via e-mail.