Thousands of Australians are believed to have pacemakers that have been recalled in the United States because they are vulnerable to being hacked.
The US Food and Drug Administration (FDA) has recalled 465,000 devices from Abbott’s (formerly St Jude Medical) because hackers could remotely cause the batteries to rapidly go flat or force the pacemakers to run at potentially deadly speeds.
In Australia the Therapeutic Goods Administration said it was aware of the recall and was reviewing information “to determine what, if any, action is required in Australia and will take into account the conclusions from the FDA investigations”.
Medicare statistics indicated there were about 11,375 pacemakers and 3,500 implantable cardioverter defibrillators implanted in Australia in 2016.
Only those devices implanted in the past two years would likely have “remote monitoring”, which allows cardiologists to monitor how well the devices are operating from a standalone computer — and that is what makes the devices vulnerable to hacking.
St Jude Medical has an estimated 20 per cent of the pacemaker market in Australia, meaning about 6,000 Australians with devices could be affected.
But experts said all pacemaker patients who have remote monitoring were vulnerable to hacking.
Cardiologist Dr Bradley Wilsmore said it was highly unlikely average Australians would be a target.
Dr Wilsmore specialises in heart rhythms and said he had received no correspondence from St Jude Medical or the Therapeutic Goods Administration about the FDA recall, and learned about it in the media.
“St Jude’s are absolutely hopeless,” he said.
“It’s extremely frustrating.”
He was equally critical of the Therapeutic Goods Administration.
Risk to Australian patients ‘low’
Dr Wilsmore said patients should not be concerned because there was an extremely “low risk” of being hacked, and this was vastly outweighed by the benefit of remote monitoring.
Patients who are monitored live longer, are less likely to receive inappropriate shocks, have better battery life, less malfunctions and are generally better managed, the cardiologist added.
“If I had a pacemaker I’d have remote monitoring, without question,” he said.
However, he said while it was excellent medical innovation, he was concerned there was insufficient regulation of remote monitoring in Australia.
“There’s no guidelines or regulations or criteria of security of these devices,” Dr Wilsmore said.
He advised patients to ask about their device at their next check-up and seek a software upgrade.
“I don’t think it’s a significant issue,” Dr Wilsmore said. “At the moment it’s unlikely to cause any problems, but it only takes one weirdo.”
‘No reported cases of malicious intent’
The Cardiac Society of Australia and New Zealand said the problem was more theoretical than real.
The society’s Heart Rhythm Council chairman, Professor Andrew McGavigan, said there was no urgent need for people to seek medical attention, but agreed patients should get a firmware update.
“There’s no reported cases of actual or malicious intent,” he said.
Patients can find out if they have a St Jude Medical device by checking a special card given to them after their initial surgery.
Dr Wilsmore said while all pacemakers with remote monitoring could be vulnerable, St Jude Medical devices had been targeted because the company was publicly listed.
Last year medical device research firm MedSec publicly revealed several vulnerabilities in St Jude Medical pacemakers, while at the same time betting on the stock market that the company’s share price would fall — a process known as short selling.
FDA recall ‘part of planned updates’
The idea of hacking a pacemaker to assassinate someone may have seemed far-fetched when it was a plot line in the popular TV show Homeland in 2012.
But less than a year later former US vice-president Dick Cheney revealed to American media that his cardiologist ordered the manufacturer of his pacemaker to disable wireless capabilities.
“It seemed to me to be a bad idea for the vice-president to have a device that maybe somebody on a rope line or in the next hotel room or downstairs might be able to get into — hack into,” Mr Cheney’s cardiologist Jonathan Reiner said.
“And I worried that someone could kill [the vice-president].”
A spokeswoman for Abbott’s (St Jude Medical) said the FDA recall was part of planned firmware updates announced in January.
“We have communicated with physicians about these updates to our pacemakers as part of our ongoing commitment to continuously improve patient care in the face of a constantly evolving technology landscape,” she said.
“This update will be launched following local regulatory approval.
“Abbott is also communicating with regulatory authorities worldwide to implement the new updates to the implantable devices.”
Patients with radio frequency enabled models of St Jude Medical/Abbott’s pacemakers should get in touch with their cardiologist.