In today's connected society, almost anything can potentially be hacked, even implanted medical devices. It’s been confirmed that a total of 745,000 pacemakers – 465,000 of them in the US – have vulnerabilities that could leave them open to attack.
The US Food and Drug Administration (FDA) has issued a voluntary recall notice for pacemakers sold by Abbott Laboratories, formerly St. Jude Medical. Exploiting the devices’ flaws could cause them to operate too fast or quickly deplete their batteries.
"If there were a successful attack, an unauthorized individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability, and those unauthorized commands could modify device settings (e.g., stop pacing) or impact device functionality,” wrote Abbot representatives in a letter sent to doctors.
According to the Department of Homeland Security, a person would have to be close to one of the pacemakers to launch an attack. There haven’t been any reports of attempted hacks, but the devices require a firmware update to ensure they are protected.
Patients with affected pacemakers, which includes the Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure models, are advised to book themselves in with their doctors to receive the update. The process, which involves a radio wave-emitting wand being placed close to the pacemakers, takes about three minutes.
Doctors have been advised by Abbot to perform the procedure only if it is "appropriate given the risk of update for the patient," as it could affect the device's settings. There’s also a 0.003 percent risk of complete functionality loss.
"In some cases, doctors and patients will decide that the risks that could be associated with performing the new pacemaker firmware update for some patients may outweigh the benefits," Abbot said in a note to pacemaker users.
Back in January, following months of denials by St. Judes, the FDA confirmed the company’s cardiac machines contained hacking vulnerabilities.
In 2016, investment house Muddy published a report claiming St. Jude's devices could be hacked. St. Jude called the document “false and misleading,” before launching legal action against the company.