465,000 vulnerable pacemakers recalled by US authorities

Faulty firmware in St Jude Medical / Abbotts devices means there is a risk of malicious attack

Nearly half-a-million pacemakers made by St. Jude Medical (now Abbotts) are being recalled by the US Food and Drug Administration (FDA) after it wsa discovered at the beginning of this year that the devices could be hacked.

Any device sold before 28 August, when a firmware fix was made available, is vulnerable, the authorities say.

On its website the FDA explains: "The FDA has reviewed information concerning potential cyber-security vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorised user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment.

"This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing."

Users will have to visit their doctor or cardiologist in person to get the update, even though this model is equipped to take updates and downloads over-the-air (OTA). This update requires the patient to be monitored while the pacemaker is in stand-by, and users must be in a resting state equivalent to the pacemaker's 67 bpm.

Even though each update should only take about three minutes, the 465,000 devices in use mean that this is a problem on a massive scale, requiring 23,500 hours to fix.

The FDA is clear that no one has, as yet, fallen prey to the vulnerability, nor are they likely to, but it says the risk is too big to ignore.

The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wifi, public or home Internet) may have cyber-security vulnerabilities that could be exploited by unauthorised users," the organisation adds.

"However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery."

Concerns about the possibility of hacking pacemakers are nothing new. Vice-President Dick Cheney, who served under George W. Bush, had all the remote connectivity on his unit disabled in case of a ‘24' style assassination attempt.