News, Culture & Society

Half a million pacemaker patients are at risk of hack

More than 465,000 patients with St Jude pacemakers are at risk of potentially fatal hacks – and need to undergo an incredibly risky ‘software update’, its manufacturers admitted this week.

The matchbox-sized devices are implanted in a person’s chest to fix abnormal heart rhythms.

Running its own software, it keeps the heart running normally and can also transmit information about a patient’s condition to their doctor via the internet, sounding the alarm when something’s amiss.

But on Tuesday, St Jude manufacturer Abbott Laboratories sent warning letters to thousands of clients telling them that their high-tech devices have nothing to defend them against hackers. 

They also warned patients that the devices’ batteries may run down earlier than expected.

Writing in an advisory to doctors, Abbott said patients need an urgent – and life-threatening – software update to protect them from ‘nearby attackers’ that could make the device ‘stop pacing’.

To perform the update, doctors need to put the device in back-up mode. Abbott warned some patients may need to be in a clinic with temporary generators available in case there is a malfunction.

Abbott Laboratories, the manufacturer, warned more than 465,000 patients with pacemakers (file image) are at risk of hacks and batteries running out earlier than expected

It marks the second round of updates for the heart implants that Abbott has announced since buying medical device maker St Jude Medical earlier this year.

The U.S. government launched a probe last year of claims the devices were vulnerable to potentially life-threatening hacks that could cause implanted devices to pace at potentially dangerous rates or cause them to fail by draining their batteries.

The company also identified a separate problem with lithium batteries in its heart devices last year. St. Jude recalled some of its 400,000 implanted heart devices last October due to risk of premature battery depletion, which was linked to two deaths in Europe.

The U.S. Food and Drug Administration said then that hospitals should return unused devices and warned patients with an already implanted device to seek immediate medical attention if they get a low-battery alert. 

The new update will be designed to reduce the risk of hacking. 

Writing to doctors on Tuesday, Abbott representatives said: ‘If there were a successful attack, an unauthorized individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability, and those unauthorized commands could modify device settings (e.g., stop pacing) or impact device functionality.’ 

Abbott said it will also provide doctors with an earlier warning when the batteries in the implantable cardioverter defibrillators are at risk of early depletion.

The company said there have been no reports of unauthorized access to any patient’s implanted device and that compromising the security of the devices would require a complex set of circumstances.

‘Abbott is resolving all old St Jude Medical issues,’ Abbott spokeswoman Candace Steele Flippin said on Tuesday.

The FDA said it approved the update to ensure that it addresses the cyber security vulnerabilities, and reduces the risk of patient harm.

The agency and the Department of Homeland Security confirmed in January that St Jude devices were vulnerable to hacking. But they said they knew of no cyber attacks on patients with the company’s cardiac implants.

The FDA said the benefits of continuing treatment outweighed cyber risks, and DHS said only an attacker ‘with high skill’ could exploit the vulnerability.

They launched the probe in August after short-selling firm Muddy Waters and cyber security firm MedSec Holdings said the devices were riddled with security flaws that made them vulnerable to potentially life-threatening hacks.

When Muddy Waters went public with the claims, it also disclosed it was shorting shares of St Jude Medical, which was preparing to sell itself to Abbott. The short-selling firm said it believed that disclosure of the vulnerabilities could cause the $25 billion deal to fall apart, but Abbot completed the deal in January.