The Food and Drug Administration (FDA) has issued a recall for nearly 500,000 pacemakers manufactured by St. Jude Medical (SJM), a subsidiary of Abbott. Pacemakers are implanted in one’s chest to control strange heart rhythms. In an effort to avoid superfluous surgeries, once the pacemaker is implanted, it is controlled through a radio frequency. However, Abbott has discovered that the frequency can be accessed with commercial equipment. Hackers who are within 50 feet can tamper with the device, and they have the potential to drain the battery or accelerate the patient’s heartbeat, which could kill.
The obvious question arises: Why would someone take the time to hack someone else’s pacemaker? While this seems like a rather obscure reason to recall half-a-million medical devices, these individuals are prone to the new phenomenon, ransomware. In this scenario, one’s pacemaker is hacked. The hacker threatens to alter the patient’s heartbeat unless they pay a large amount of money.
Most medical professionals and Abbott have downplayed this threat; too many pieces must fall into place, such as location and motive, for any damage to be done. Matthew Green, an assistant professor of computer science at John Hopkins University, disagrees. He believes that extortion attacks on both patients and manufacturers are prevalent, and that they must be addressed. This threat is growing every day.
A possible solution, professionals suggest, would be to password protect the radio frequencies. This may seem like a good idea upon first inspection, but if the patients were to go to the hospital for a pacemaker-related medical emergency, the physicians there would have to spend extra time getting access to the device. This process would waste crucial time that could be spent helping the patient. If they cannot communicate the password to their doctor, the extra time could prove lethal.
Pacemakers cannot be simply removed due to the risk of complications. Because of this, Abbott has developed a new firmware update that attempts to heighten security. In an unlikely event, the update may cause the pacemaker to fail. Patients must be in a hospital to receive the update, and they are encouraged to meet with their cardiologist to weigh the risks of installing the update versus cyberattacks.
The issue in Abbott’s design was originally discovered by MedSec, a cybersecurity firm that specializes in finding flaws in medical equipment and publically disclosing them. This is not the first defect they have found in SJM’s pacemakers. In 2016, they disclosed the information to an investment firm, Muddy Waters Capital, who then proceeded to short the stock, in an effort to make a profit when the news became public. MedSec apparently did this to put financial pressure on SMJ and Abbott to make the changes quickly.
Six different varieties of pacemakers are prone to hacking. Read Abbott’s open letter to doctors regarding the issue [HERE] for more information.