Cyber security has been front and center in the news a lot lately. Hackers have gripped entire hospital networks and shut down companies. The threat of an unpatched device or network falling prey to hackers is very real. This is why the Food and Drug Administration has recalled numerous pacemakers.
The pacemakers that have been recalled by the FDA have not been updated. The lack of software update in these medical devices means that hackers could, potentially, drain pacemaker batteries. There are thousands of people in the US alone that have pacemakers - an attack could wipe out a massive section of the population.
The Recalled Pacemakers
The pacemakers in question are all manufactured by the medical company Abbott. All of the pacemakers have the St. Jude brand as well. Removing all of those pacemakers would be costly and risky - some patients that have pacemakers would not be able to withstand the procedure. So the best course of action is a firmware update.
Medical staff has been instructed how to update firmware for the impacted pacemakers. So far there have been no security threats made, but the FDA is being cautious in light of recent cyber attacks.
The Department of Homeland Security has also issued a statement asking people that do have a St. Jude pacemaker to speak with their medical care providers about the potential risks of removing a pacemaker, of the firmware update, and of not updating the firmware at all.
The need to update firmware was discovered by the cybersecurity firm MedSec. This is the second firmware update to St. Jude pacemakers by MedSec. The firm specializes in discovering medical software vulnerabilities. Abbott has hired MedSec to find these vulnerabilities, which is why the pacemakers have already been updated twice.
As with any firmware update, there is the possibility of problems occurring when the updates are issues. However, it is safe to say that a hacker attack would be far more detrimental to the safety of pacemaker patients than the potential shortcomings of a firmware update - which would be done under supervision.
If you have a St. Jude pacemaker installed, it’s important that you speak to your doctor. Again, MedSec has not had any threats to these pacemakers, but firmware that is not updated is vulnerable to cyber threats. Working with MedSec has been a controversial choice for Abbott, but the company has decided that regular and continuous updates is safer than none - and they aren’t necessarily wrong.
The best possibly way to secure any software is to make sure that it is regularly updated. Software that is not updated is vulnerable. In this case, pacemakers that fall into the wrong hacker hands can be a matter of life and death. Other medical manufacturers would do well to follow suit, but, for now, MedSec only works with select companies finding and targeting potential medical cyberthreats.
To date, hackers have not attacked any medical devices such as pacemakers. However, this does not mean that these types of attacks will not happen in the near future.