A security flaw has prompted the FDA to issue a voluntary recall on 465,000 pacemakers. There is a flaw in the firmware that can render the pacemaker controllable by outside devices, which could be used maliciously, to interrupt heart rhythm or to quickly deplete the battery.
The FDA’s recall affects St. Jude Medical pacemakers and cardiac resynchronization therapy pacemaker (CRT-P) devices. The Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure models are all affected. The FDA does not specify how the devices are vulnerable but note that “After installing this update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The Merlin Programmer and [email protected] Transmitter will provide such authorization,” indicating a problem with authentication of commands.
However, pacemakers are embedded into the patient’s chest, so they cannot be easily replaced or removed. The FDA’s remedy is for the patient to visit their doctor for a firmware update. They note that this update will take “approximately 3 minutes to complete”.
However, the update is not without risk. The announcement notes that
As with any firmware update, there is a very low risk of an update malfunction. Based on St. Jude Medical’s previous firmware update experience, installing the updated firmware could potentially result in the following malfunctions (including the rate of occurrence previously observed):
- reloading of previous firmware version due to incomplete update (0.161 percent),
- loss of currently programmed device settings (0.023 percent),
- loss of diagnostic data (none reported), or
- complete loss of device functionality (0.003 percent).
As of now, Abbot has not reported any successful exploitation of the vulnerability. Affected patients are advised to schedule an appointment with their provider to determine if the update should be made given the known risks. The updates have been available to physicians as of August 29.
Heading Picture is licensed under License Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0). Credit to author Stevenfruitsmaak at the English language Wikipedia. Image was resized and cropped for publication.