Published: Thu, August 31, 2017
Economy | By Melissa Porter

Implantable Cardiac Pacemakers by Abbott (formerly St. Jude Medical): Safety Communication

Implantable Cardiac Pacemakers by Abbott (formerly St. Jude Medical): Safety Communication

The firmware update is meant to fix a cybersecurity weakness that allowed hackers to affect the battery life and pacing of 465,000 devices implanted in patients in the U.S. Once the hacker has control, they can rapidly deplete the battery or alter the pacing, putting the health of patients who rely on their pacemakers at risk.

To view the full article, register now.

Abbot is now asking doctors to discuss with patients about the need to administer the software updates instead of having to replace the pacemaker as a whole. The FDA has reviewed information that suggests hackers could use commercially-available equipment to gain access to a patient's device.

The update is part of Merlin@home v8.2.2, but pacemakers manufactured from 28 August will already contain the security patch.

The Food and Drug Administration revealed that 465,000 pacemakers in the United States were affected, in an advisory note about a fix to the problem.

Now, 465,000 people in the USA with these implanted devices must visit their healthcare provider to receive a firmware update that can fix the vulnerabilities.

In particular, Abbott's pacemakers, formerly of St. Jude Medical, have been "recalled" by the US Food and Drug Administration (FDA) on a voluntary basis.

The FDA is instructing providers to evaluate the risks and benefits, considering the needs of each patient.

Patients are being advised to ask their doctors about an available firmware update at their next scheduled appointment.

The FDA and U.S. Department of Homeland Security confirmed that the St. Jude devices were vulnerable to hacking although no specific instances have come to light.

Abbott-owned St Jude Medical was at the centre of a legal storm past year after suing security firm MedSec and short seller Muddy Waters for publishing what it claimed to be false info about bugs in its equipment.

In a letter sent to doctors (downloadable.PDF), Abbott - which acquired St. Jude Medical in 2016 - admitted the update could not be delivered over the air and requires roughly three minutes in the presence of the patient to download and install while in backup mode. Based on Abbott's data, there's a 0.161 percent chance the update reloads old firmware due to an incomplete update; a 0.023 percent chance that the update will wipe programmed device settings; a not reported chance of loss of diagnostic data; and a 0.003 percent chance the device becomes bricked.

The FDA plans to continue to monitor these devices and inform the public if other issues arise and is also working with manufacturers, providers, security researchers and the government to develop and implement tools to improve cybersecurity on all devices throughout the lifecycle.

The security flaws could allow a hacker to access the device and change the settings or shut it off.

Like this: