St. Jude’s Medical, a newly-acquired subsidiary of Abbott Pharmaceutical, was issued a class-2 recall by the FDA for their pacemaker and defibrillator devices. These particular types of pacemakers and defibrillators are placed inside a patient’s chest and administer small shocks of electricity in order to keep the patient’s heart beating properly. Those recalled will either fall under the category of implantable cardioverter defibrillators (ICDs) or cardiac resynchronization therapy defibrillators (CRT-D). They are used to treat chronic, life-threatening conditions, such as ventricular fibrillation and other conditions that affect a person’s heartbeat.
The FDA recall is, essentially, a software update meant to boost the security of the already-implanted medical devices. Physicians are being administered the software by Abbott under order of the FDA. 740,000 different devices have been dispensed to patients that will require the update. (If you or a loved one is implanted with a Saint Jude’s brand pacemaker or defibrillator, then your physician should administer the software update during your next appointment.)
In an effort to reduce invasive procedures, Abbott controls their cardiac devices through radio frequency. This allows one’s doctor to alter the severity and frequency of the shocks without having to even touch the patient. Professionals are concerned, however, that there may be potential cybersecurity issues with the ICDs and CRT-Ds. It is not unthinkable for someone to hack into one’s pacemaker, even with commercial equipment. The hacker could raise or lower the frequency or severity of the shocks to one’s heart or rapidly deplete the device’s battery. Matthew Green, an associate professor of computer science at John Hopkins University, calls this oversight “probably the most impactful vulnerability I’ve ever seen [in a medical device].” Green and other professional believe that those who are vulnerable could be extorted by hackers.
However, there has not been an instance where someone has had their pacemaker manipulated by anyone other than their doctor. The Department of Homeland Security, too, has stated that, while it is possible for one to hack into and control these devices, it would be extremely difficult and require a great deal of expertise.
For more information and specific devices that have been recalled by the FDA, check on the Minnesota Star Tribune article on St. Jude [HERE].
The FDA is preemptively trying to eliminate such threats from other medical appliances that use radio frequencies. Earlier this April, the FDA announced a comprehensive plan to combat cybersecurity threats to the medical industry. Titled the Medical Device Safety Action Plan, new devices would be equipped with software/firmware that would allow them to be updated at will by the FDA. This would allow them to be renovated as the technology and threats change on an ongoing basis. In tandem, the FDA has requested to fund a CyberMe. Safety Analysis Board for the 2019 fiscal year. This new board would be specifically formed to scrutinize cybersecurity safety risks in new and existing medical devices. Interestingly, the board will be formed via a public-private partnership, with industry experts taking part in the design of the software.