FDA alerts on pacemaker recall for cyber flaw

This article was updated with a correction on Aug. 30.

Nearly a half million pacemaker patients could be at risk for cyberattacks thanks to a known security vulnerability, according to an alert from the Food and Drug Administration.

The FDA issued an alert Aug. 29 regarding manufacturer Abbott's recall notice affecting six pacemaker devices. The recall is for firmware updates that will "reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities," the FDA wrote in its alert.

The FDA has issued safety communications recalls like this in the past, but this is the first to affect implanted devices, Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council told FCW.

The affected devices, which are radio-frequency enabled, are marketed by Abbot, formerly known as St. Jude Medical, under the brand names Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure. The FDA urged the 465,000 patients with the devices to talk to their health care providers to discuss the firmware update and the risks of cybersecurity vulnerabilities.

There have been no reports of patient harm due to the firmware vulnerability.

"This is going to feel significantly more disruptive to patients and physicians because of the nature of the devices," Corman said. "That's a half a million human beings who now wonder if they're in danger."

If left unpatched, an unauthorized user could "access a patient's device using commercially available equipment" and could  "modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing," the FDA reported.

But Corman stressed that patients shouldn't panic about the FDA-approved firmware update from Abbott. The update, which is administered locally by the patient's physician, ensures that any attempt to communicate with the device provides proper authorization.

"The emotional response to this [vulnerability] will be much larger," he said, because "battery issues are expected, but cyber issues are a bit scarier."

Corman analyzed the FDA's data and found that just under 900 devices could be defective. Those with defective devices may have to undergo surgery. Patients are instructed to go to a physician to determine if their device is defective and update the firmware if needed. Any decision to remove the device should be made by the patient and health care provider, he said.

The updates take roughly three minutes, according to the guidance, during which time pacemakers operate in "backup mode," which regulates the heart at 67 beats-per-minute.

"This will generate serious concern. On the whole [pacemakers] improve lives and save lives," Corman said. But if the public overreacts to this, it could set the mission [to provide innovative health care] back."

The FDA's notice comes almost exactly a year after St. Jude Medical launched a lawsuit against financial firm Muddy Waters and cybersecurity firm MedSec.  St. Jude claimed in its suit that Muddy Waters profited by shorting shares of St. Jude after releasing information about alleged defects in the company's devices.

Cybersecurity experts and intelligence officials have previously warned that health care devices could be the next frontier of cyberattacks, noting that vulnerabilities in pacemakers could provide a militaristic advantage.

"If I was still in the CIA, and I learned an ISIS leader had an internet-connected pacemaker, I'd ask my guys how we could use that to get him," former CIA Deputy Director Michael Morell said.

The FDA is responsible for enforcing its regulations regarding digital and cyber hygiene. The FDA issued post-market guidance in December 2016 to address the growing cyber threats to medical devices. Suzanne Schwartz, the FDA's associate director at the Center for Devices and Radiological Health wrote in a subsequent blog post that "cybersecurity threats are real, ever-present, and continuously changing," with hospitals more frequently coming under attack.

As for the FDA, there's more work to be done, according to Schwartz. "Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product's lifespan," she wrote. "The same innovations and features that improve health care can increase cybersecurity risks."

CORRECTION: This article was updated Aug. 30 to reflect that Abbott's recall of the pacemaker devices was voluntary and not mandated by the FDA.