Cybersecurity

FDA alerts on pacemaker recall for cyber flaw

shutterstock image 616291643 by AVIcon

This article was updated with a correction on Aug. 30.

Nearly a half million pacemaker patients could be at risk for cyberattacks thanks to a known security vulnerability, according to an alert from the Food and Drug Administration.

The FDA issued an alert Aug. 29 regarding manufacturer Abbott's recall notice affecting six pacemaker devices. The recall is for firmware updates that will "reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities," the FDA wrote in its alert.

The FDA has issued safety communications recalls like this in the past, but this is the first to affect implanted devices, Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council told FCW.

The affected devices, which are radio-frequency enabled, are marketed by Abbot, formerly known as St. Jude Medical, under the brand names Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure. The FDA urged the 465,000 patients with the devices to talk to their health care providers to discuss the firmware update and the risks of cybersecurity vulnerabilities.

There have been no reports of patient harm due to the firmware vulnerability.

"This is going to feel significantly more disruptive to patients and physicians because of the nature of the devices," Corman said. "That's a half a million human beings who now wonder if they're in danger."

If left unpatched, an unauthorized user could "access a patient's device using commercially available equipment" and could  "modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing," the FDA reported.

But Corman stressed that patients shouldn't panic about the FDA-approved firmware update from Abbott. The update, which is administered locally by the patient's physician, ensures that any attempt to communicate with the device provides proper authorization.

"The emotional response to this [vulnerability] will be much larger," he said, because "battery issues are expected, but cyber issues are a bit scarier."

Corman analyzed the FDA's data and found that just under 900 devices could be defective. Those with defective devices may have to undergo surgery. Patients are instructed to go to a physician to determine if their device is defective and update the firmware if needed. Any decision to remove the device should be made by the patient and health care provider, he said.

The updates take roughly three minutes, according to the guidance, during which time pacemakers operate in "backup mode," which regulates the heart at 67 beats-per-minute.

"This will generate serious concern. On the whole [pacemakers] improve lives and save lives," Corman said. But if the public overreacts to this, it could set the mission [to provide innovative health care] back."

The FDA's notice comes almost exactly a year after St. Jude Medical launched a lawsuit against financial firm Muddy Waters and cybersecurity firm MedSec.  St. Jude claimed in its suit that Muddy Waters profited by shorting shares of St. Jude after releasing information about alleged defects in the company's devices.

Cybersecurity experts and intelligence officials have previously warned that health care devices could be the next frontier of cyberattacks, noting that vulnerabilities in pacemakers could provide a militaristic advantage.

"If I was still in the CIA, and I learned an ISIS leader had an internet-connected pacemaker, I'd ask my guys how we could use that to get him," former CIA Deputy Director Michael Morell said.

The FDA is responsible for enforcing its regulations regarding digital and cyber hygiene. The FDA issued post-market guidance in December 2016 to address the growing cyber threats to medical devices. Suzanne Schwartz, the FDA's associate director at the Center for Devices and Radiological Health wrote in a subsequent blog post that "cybersecurity threats are real, ever-present, and continuously changing," with hospitals more frequently coming under attack.

As for the FDA, there's more work to be done, according to Schwartz. "Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product's lifespan," she wrote. "The same innovations and features that improve health care can increase cybersecurity risks."

CORRECTION: This article was updated Aug. 30 to reflect that Abbott's recall of the pacemaker devices was voluntary and not mandated by the FDA.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at lwilliams@fcw.com, or follow her on Twitter @lalaurenista.

Click here for previous articles by Johnson.


Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group