A Year Later: FDA approves Software Fix for Security Flaws in Pacemakers

In-brief: The FDA as approved a software update to software security holes in pacemakers made by Abbott. But doctors and patients will have to weigh the risks of apply the patch. 

The U.S. Food and Drug Administration has approved a software update for a range of pacemakers and other implantable medical devices that will fix security holes identified by the security firm MedSec, more than seven months after the vulnerabilities were disclosed.

The FDA on Tuesday published a Safety Communication saying that patients using any of six pacemaker and CRT-P (cardiac resynchronization therapy pacemaker) devices manufactured by St. Jude Medical (now Abbott) should consider applying a software update to fix the security holes, some of which could cause harm to patients.

“Patients and their health care providers (should) discuss the risks and benefits of the cybersecurity vulnerabilities and the associated firmware update designed to address such vulnerabilities at their next regularly scheduled visit,” the FDA said.

The FDA notice comes a little more than a year after MedSec and the Wall Street Firm Muddy Waters Research made headlines for releasing information about flaws in implantable medical devices by St. Jude Medical in conjunction with a report by Muddy Waters calling on investors to bet against the stock of Abbott, which had acquired St. Jude Medical.

St. Jude Medical issued a software patch in January for affected devices, but also questioned the MedSec findings, filing suit against the company. In a statement in response to the initial MedSec and Muddy Waters report, a company spokesman said the report was “absolutely untrue,” saying that there were “several layers of security measures in place” on its implantable devices.

However, in a damning report released in April, the FDA said that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or by replacing those devices.

The government found that St. Jude Medical learned of serious and exploitable security holes in the company’s “high voltage and peripheral devices” in an April, 2014 third-party assessment commissioned by the company. But St. Jude Medical “failed to accurately incorporate the findings of that assessment” in subsequent risk assessments for the affected products, including Merlin@home, a home-based wireless transmitter that is used to provide remote care for patients with implanted cardiac devices, the FDA revealed. Among the security flaws: a “hardcoded universal unlock code” for the company’s implantable, high voltage devices.

Among the risks to patients who use affected devices are that unauthorized users could modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing, the FDA said.

A letter from the FDA to St. Jude Medical in April said the firm ignored warnings that its implantable medical devices and related software were vulnerable to hacking or unexpected failure.

To address these cybersecurity vulnerabilities and improve patient safety, St. Jude Medical now require any device attempting to communicate with the implanted pacemaker to first authenticate to The Merlin Programmer and Merlin@home Transmitter.

Patients will need to visit their physician’s office to obtain the firmware update, which will take 3 minutes to apply. The FDA said the risks of device malfunctions during update are low and it does not recommend that patients or physicians remove the implanted devices solely because of the security holes.

The incident raises questions about how flaws in medical devices – especially those that are implanted in patients – will be managed going forward.

In a letter to physicians, Abbott suggests they sit with patients to discuss the relative risks of applying or not applying the software update. It describes the threat as coming from a “highly complex attack,” citing the U.S. Department of Homeland Security, though security researchers at MedSec have suggested that attacks, while they might require physical proximity to the device, would not necessarily  need to be highly complex.

It is unclear, however, how well qualified either physicians or patients are to weigh relative hacking risks, especially with conflicting information in the public domain.

Security Ledger wants to hear your thoughts! Leave a reply.