The Homeland Security Department warned Tuesday (January 10) about an unusual cybersecurity flaw for St. Jude Medical’s implantable heart devices which could allow hackers to remotely take control of a person’s defibrillator or pacemaker.
A day before, on Monday the Food and Drug Administration also said that the Minnesota-based medical device company’s pacemakers, defibrillators and other heart devices may have put patients at risk for cybersecurity concerns. Thereafter, Abbott Laboratories (ABT.N) moved to protect patients with its St. Jude heart implants against possible cyber attacks by releasing a software patch that it claimed would reduce the “extremely low” chance of them being hacked. Information on the security flaw, identified by researchers at MedSec Holdings was made public five months after the U.S. government launched a probe, only after the software repair was made. The federal investigation into the problem started in August.
While no hacking has been reported, the concern for possible tampering is high enough that the FDA is issuing warning for hacking threats. The devices contained configurable embedded computer systems which have potential of life-threatening hacks that could cause implanted devices to pace at potentially dangerous rates or cause them to fail by draining their batteries.
The government advisory said security patches will be rolled out automatically over months to patients with a device transmitter at home, as long as it is plugged in and connected to the company’s network. The transmitters send heart device data back to medical professionals.
FDA and DHS said that the software update addresses some, but not all, known cyber security problems in its heart devices. The update addresses vulnerabilities that present the greatest risk to patients and prevent hackers from accessing the device.
MedSec CEO, Justine Bone also tweeted that St. Jude’s software fix did not address all problems in the devices. They include the ability to issue an unauthorized command to a cardiac implant from a device other than St. Jude’s Merlin@Home device.
St. Jude spokeswoman Candace Steele Flippin said:
“St. Jude Medical has worked with, and continues to work with, the FDA and DHS to update and improve the security of our technology.”
The FDA also showed support for treating the vulnerabilities. In an email to Motherboard, St. Jude said that it would implement updates to its devices in 2017 to ensure patient safety.
St. Jude’s devices treat dangerous irregular heart rhythms that can cause cardiac failure or arrest. The devices work by being implanted in the skin and being connected to the heart via insulated wires. The device works with the Merlin@home Transmitter, which sends a patient’s information to their doctor. The FDA warned that the hackers could exploit the transmitter and “modify programming commands to the implanted device.” The threat to the device is no less.
The FDA’s review is ongoing.
Meanwhile, patients who use the transmitter are encouraged to continue a normal routine of checkups with their healthcare provider. The FDA said that the benefits of continuing treatment outweighed cyber risks.
As more and more medical devices get connected to the internet, they become vulnerable to hackers who could play with the heart and life of a person by changing the heart rate, administering shocks, or even depleting the battery.