FDA approves patch for cyber vulnerability in cardiac pacemakers of 465,000 patients

FDA approves patch for cyber vulnerability in cardiac pacemakers of 465,000 patients

FDA finds cyber vulnerability in 465,000 patient's cardiac pacemakers
(Photo: Abbott)

Up to 465,000 implantable cardiac pacemakers manufactured by health company, Abbott, formerly St. Jude Medical, containing a cybersecurity vulnerability are finally set to receive a firmware patch approved by the US Food & Drug Administration (FDA).

The FDA has completed its review of Abbott’s radio frequency (RF) enabled implantable cardiac pacemakers and confirmed that, if exploited, the vulnerabilities could allow hackers to access a patient’s device. With access to the device, any hacker with malicious intent could potentially cause harm to patients from “rapid battery depletion or administration of inappropriate pacing.”

The news comes a full year after hedge fund, Muddy Waters Research, revealed the flaws in the medical devices to the media in August 2016.

At present, there have been no reports of patient harm due to the vulnerability in these devices, all of which are in the US. Nevertheless, as of August 23, Abbott has issued an FDA approved firmware update as what it calls a ‘corrective action’ for all of its RF-enabled pacemaker devices, including cardiac resynchronization pacemakers.

Read more: Drone defibrillator ready to take off and save lives

FDA approves firmware update

In a statement, the FDA confirmed that the firmware update addresses the vulnerabilities it identified, meaning that any risk of exploitation and patient harm is reduced. The FDA added that, after installing this update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so.

The update will apparently be available from August 29 for devices manufactured prior to August 28. Any device made thereafter will have this update pre-loaded in the device.

The FDA has said that patients must discuss this update with their healthcare provider at their next visit, as the firmware update requires an in-person visit. Supposedly, the update will take three minutes to complete, during which the device will operate in back-up mode (pacing at 67 beats per minute), and essential, life-sustaining features will remain available. Abbott assures patients that there is “a very low risk” of malfunction during the update.

Read more: “Scary” number of healthcare IT execs put faith in inadequate IoT security

Further concerns

In a press release, Abbott also says that it is also releasing a Battery Performance Alert for its implantable cardioverter defibrillators (ICDs) that provides physicians with earlier warning of the potential for the low risk of premature battery depletion. This is to address issues in ICD and cardiac resynchronization therapy defibrillator (CRT-D) devices, manufactured between January 2010 and May 2015, which could potentially experience premature battery depletion.

Robert Ford, executive vice president of medical devices at Abbott, said “Connected devices are having a significant positive impact for patients and their health. To further protect our patients, Abbott has developed new firmware with additional security measures that can be installed on our pacemakers.”

“All industries need to be constantly vigilant against unauthorized access,” Ford added. “This isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”


On 31 October & 1 November 2017, Internet of Business will be holding its Internet of Health USA event at the Royal Sonesta in Boston, MA. This event is North America’s only conference focused 100 percent on IoT applications for health providers and payers.