FDA issues recall of 465,000 St. Jude pacemakers to patch security holes

Heart patients will have to visit their doctors to have their pacemakers patched for the "voluntary" recall -- but there are risks.
Written by Charlie Osborne, Contributing Writer
File photo

In what may be a first, patients with heart conditions that are using particular pacemaker brands will have to visit their doctors for firmware updates to keep their embedded devices safe from tampering.

It seems such an odd concept at first, but with many kinds of pacemakers now "smarter," with connections to mobile devices and diagnostic systems, the avenue has been carved for these medical devices to potentially be tampered with, should a threat actor choose.

In particular, Abbott's pacemakers, formerly of St. Jude Medical, have been "recalled" by the US Food and Drug Administration (FDA) on a voluntary basis.

The devices must be given a firmware update to protect them against a set of critical vulnerabilities, first reported by MedSec, which could drain pacemaker battery life, allow attackers to change programmed settings, or even change the beats and rhythm of the device.

On Tuesday, the FDA issued a security advisory, warning that the pacemakers must be recalled -- and as they are embedded within the chests of their users, this requires a trip to the hospital to have the software patch applied.

Patients with a RF-enabled St. Jude pacemaker or cardiac pacemaker, as well as healthcare professionals who are using these devices presently in hospitals to treat conditions including heart failure and irregular heart rhythms must make sure a firmware update, approved by the federal agency on August 23, is applied to these devices.

The Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure models are all affected.

The FDA estimates that in total, 465,000 pacemakers in the US are impacted -- although it is not known how many may be outside the United States.

In a letter sent to doctors (downloadable .PDF), Abbott -- which acquired St. Jude Medical in 2016 -- admitted the update could not be delivered over the air and requires roughly three minutes in the presence of the patient to download and install while in backup mode.

The update is part of Merlin@home v8.2.2, but pacemakers manufactured from August 28 will already contain the security patch.

Patients are asked to contact their doctors to book themselves in for the update. However, doctors have been advised by Abbott to update only if "appropriate given the risk of update for the patient."

Unfortunately, installing the firmware update can result in a failure to update altogether, the loss of programmed settings, the loss of diagnostic data, as well as a very small risk -- 0.003 percent -- of complete functionality loss.

"The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. Wi-Fi, public or home internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users," the FDA says. "However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery."

See also: FDA one of many 'toothless dragons' with no will to tackle medical device security

There are no reports of compromised pacemakers, but the threat is enough of a risk to patient well-being and potentially life altogether to be taken very seriously. After the update is applied, devices attempting to connect to the Merlin website must be authorized via the Merlin@home Transmitter, which should hopefully be enough to prevent tampering.


    Data from pacemaker used to arrest man for arson, insurance fraud

    The device provided key evidence which stopped a man allegedly getting away with fraud after burning down his house.

    St. Jude Medical releases security patches for vulnerable cardiac devices

    It appears that hearts can be hacked, after all.

    St. Jude Medical admits new cardiac device flaws discovered, issues patch update

    The medical device maker has fixed another Merlin@home Transmitter flaw which makes them vulnerable to cyberattacks.

      Five biotech inventions the US is not ready for (in pictures)

      Editorial standards