The United States Food and Drug Administration (FDA) is recalling 465,000 pacemakers – the devices that assist in regulating heart beat functions – after discovering their lax cyber security could be circumvented and vulnerabilities could be exposed to run the batteries down or even alter the patient’s heartbeat.
Six models of the devices, manufactured by Abbott (formerly known as St. Jude Medical), were included in the recall which the FDA claims is intended as a “corrective action.” Officials say people affected by the recall will not require to have the pacemaker removed and replaced, but rather they can fix the vulnerability with an upgrade to the device’s firmware, which will take approximately three minutes to complete.
The FDA and cyber security experts around the globe stress that “as medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity weaknesses.”
Concerns about the safety of medical devices and the security of healthcare facilities are far from new, as demonstrated by the increase of cyber-attacks on hospitals in the previous years. In April 2016, the FBI published a ransomware explainer that mentioned recent attacks on United States hospitals, along with school districts, state and local governments, and law enforcement agencies.
Former hacker and security expert Barnaby Jack demonstrated in 2012 that pacemakers could be reverse engineered to release a series of 830 volt shocks. Thankfully, he did not release a video demonstration of the feat, however, his findings were viewed as instrumental to an increase in information security implementations by the FDA.
Although Abbott released a statement trivializing the risk of hacking as “extremely low,” the existence of possible means to circumvent a medical devices security stress the urge for the strengthening of cyber security worldwide.
The interconnectivity of networks allows medical records, financial documents, life-saving technology, etc. to be easy targets for hackers. Medical facilities provide care for the vulnerable, and in that endeavor, laziness and cutting corners will never suffice. Healthcare providers planning to converge at the CyberHub Summit in Atlanta will discuss the newest technology and strategies in an effort to protect critical medical technology.