“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the U.S. Food & Drug Administration (FDA) said in a notice dated August 29th.
“This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”
The voluntary recall affects 465,000 radio frequency-enabled implantable pacemakers including Allure, Accent, Anthem, Accent MRI, Accent ST and Assurity models. All of the recalled devices were manufactured prior to August 28, 2017.
So far, there have been no reports of patient harm related to the cybersecurity vulnerabilities affecting the recalled pacemakers.
St. Jude Developed Firmware Update to Address Hacking Concerns
St. Jude Medical has developed a firmware update to address the cybersecurity issue which requires an in-person patient visit with a health care provider. The update became available August 29th, and will take approximately 3 minutes to complete.
While the risk is low, the updated firmware could potentially result in the following malfunctions:
reloading of previous firmware version due to incomplete update
loss of currently programmed device settings
loss of diagnostic data
complete loss of device functionality
The FDA is recommending that patients and their health care providers discuss the risks and benefits of the cybersecurity vulnerabilities and the associated firmware during their next regularly scheduled visit.
Medical Device Cybersecurity Vulnerabilities
The same cybersecurity issues were raised in August 2016 by the investment group Muddy Waters Capital, which charged that St. Jude Medical’s Merlin@home monitoring system was vulnerable to hacking. The company strongly denied the charges and even filed a defamation suit against Muddy Waters. But the problems were later confirmed by the FDA and U.S. Department of Homeland Security.
Medical devices marketed by other companies have been the subject of similar hacking worries. In October 2011, for example, Johnson & Johnson warned of a vulnerability affecting Animas OneTouch Ping insulin pumps that could allow a hacker to remotely cause an insulin overdose.
The previous year, the FDA warned hospitals to stop using Hospira’s Symbiq infusion pumps due to a cybersecurity problem that could allow hackers to alter a patient’s dosage by tapping into a facility’s network.