Nearly half a million pacemakers are being recalled by the US Food and Drug Administration after the agency found that the devices could be hacked to control pacing or deplete batteries. Rather than having patients remove or replace the device, however, the manufacturer is releasing a firmware update designed to address the vulnerabilities.
Yes, that’s right — grandpa, grandma, your baby, or anyone with arrhythmia and has a pacemaker implanted might need to get a firmware update.
The affected pacemakers are made by St. Jude Medical, which was acquired by Abbott in January. The models are radio-frequency enabled, and were manufactured before August 28th. Any device manufactured from this week on will have the update pre-installed.
The FDA estimates that 465,000 vulnerable devices have been implanted in patients in the US. Hackers could use “commercially available” equipment to change the devices’ programming. In May, researchers found that pacemaker programmers could intercept the device using equipment that cost anywhere between $15 to $3,000, reported Ars Technica. Abbott will now require devices to provide authorization in order to communicate with the pacemaker.
A firmware is basically software for a hardware, and the update should be an easier fix for patients than undergoing surgery for a new, hack-proof device. Unfortunately, patients who require a firmware update can’t get it at home. Instead, they’ll have the three-minute update administered by a healthcare provider. During this time, the device will run in backup mode. It’s possible that diagnostic data or settings will be lost — or worse, that the device will be bricked — so patients should talk to their doctors about the risks and benefits of updating their pacemakers.
In the alert, the FDA warned patients that any device that connects to Wi-Fi or the internet is vulnerable to hacking. But the agency also noted that connectivity has its benefits — including safer and more convenient health care. As with most things in medicine, patients will have to determine whether the risks are worth it.
This isn’t the first time Abbott’s Jude Medical unit’s pacemakers have been found to contain cybersecurity vulnerabilities. In January, the FDA issued a similar warning for the company’s implantable RF pacemakers and corresponding transmitters that could be exploited to administer inappropriate pacing or shocks.