THE US Food and Drug Administration (FDA) is recalling nearly half-a-million pacemakers from St Jude Medical (now Abbotts) after finding at the beginning of this year that the devices could be hacked.
The vulnerable firmware covers any device sold before last Monday (28th). This is the first time a fix has been available.
The FDA warning explains, "The FDA has reviewed information concerning potential cyber-security vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorised user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment.
"This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing."
Users will have to visit their doctor or cardiologist in person to get the update, even though this model is equipped to take updates and downloads over-the-air (OTA). This update requires the patient to be monitored while the pacemaker is in stand-by.
In other words, users must be in a resting state equivalent to the pacemaker's 67 BPM. Even though each update should only take about three minutes, the 465,000 devices in use mean that this is a problem on a massive scale, requiring 23,500 hours to fix.
The FDA is clear that no one has, as yet, fallen prey to the vulnerability, nor are they likely to, but the risk is too big to ignore.
The organisation adds, "The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wifi, public or home Internet) may have cyber-security vulnerabilities that could be exploited by unauthorised users. However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery."
Concerns about the possibility of hacking a pacemaker are nothing new. Vice-President Dick Cheney, who served under George W Bush had all the remote connectivity on his unit disabled in case of a ‘24' style assassination attempt. µ
Siri-powered speaker will start shipping on 9 February
Staffers are at risk of falling victim to spear phishing attacks
But you probably won't be able to afford it
Squash one bug and another pops up in its place, or so it would seem