FDA to patients with St. Jude pacemakers: Update needed to keep hackers out of devices

Providers can update software to ensure a hacker can’t access the device and remotely modify programming commands.
By Jessica Davis
04:00 PM
Share
St. Jude pacemakers

The U.S. Food and Drug Administration is urging all heart transplant patients who have received a St. Jude pacemaker to contact their healthcare provider and receive a software update to protect their device from being hacked.

The firmware update will take just three minutes in-person with the patient’s provider. The FDA stressed this update cannot be done from home. The device will run on backup mode during the process, but all life-sustaining features will still be available.

After the update, the device will return to normal settings.

[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]

The implantable cardiac devices from Abbott -- which acquired St. Jude Medical in early 2017 -- have been under fire since August 2016.

A report from investment firm Muddy Waters Capital and security researcher MedSec found St. Jude’s pacemakers and other heart devices are vulnerable to hacking and other cybersecurity threats. The lawsuit that followed came with another report of even more flaws.

[Also: St. Jude admits security vulnerabilities in cardiac devices]

While St. Jude built patches for these flaws, this newest FDA alert provides the framework to fix the vulnerabilities. The flaws in St. Jude Medical's RF-enabled implantable cardiac pacemakers could allow a hacker access to the patient’s device to modify programming commands remotely.

The result of which would drain battery power or the administration of inappropriate pacing.

[Also: Pacemaker device security audit finds 8,600 flaws, some potentially deadly]

There is a low risk of an update malfunction. However, officials warned that there is always a potential issue with reloading previous version if the update is incomplete, a loss of programmed settings, loss of diagnostic data and a complete loss of device functionality.

The FDA is instructing providers to evaluate the risks and benefits, considering the needs of each patient.

[Also: Device maker was hush on defibrillator defect that killed patients, FDA says]

“For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided,” according to the alert.

The FDA plans to continue to monitor these devices and inform the public if other issues arise and is also working with manufacturers, providers, security researchers and the government to develop and implement tools to improve cybersecurity on all devices throughout the lifecycle.

“FDA reminds patients, patient caregivers and healthcare providers any medical device connected to a communications network may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” officials said. “However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely healthcare delivery.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com