FDA, Homeland Security Issue First Ever Recall, Warnings About Flimsy Pacemaker Security
from the your-heart-attack-has-an-IP-address dept
We’ve well established that the internet of things (IOT) market is a large, stinky dumpster fire when it comes to privacy and security. But the same problems that plague your easily hacked thermostat or e-mail password leaking refrigerator take on a decidedly darker tone when we’re talking about your health. The health industry’s outdated IT systems are a major reason for a startling rise in ransomware attacks at many hospitals, but this same level of security and privacy apathy also extends to medical and surgical equipment — and integral medical implants like pacemakers.
After a decade of warnings about dubious pacemaker security, researchers at Medsec earlier this year discovered that a line of pacemakers manufactured by St. Jude Medical were vulnerable to attacks that could kill the owner. The researchers claimed that St. Jude had a history of doing the bare minimum to secure their products, and did little to nothing in response to previous warnings about device security. St. Jude Medical’s first response was an outright denial, followed by a lawsuit against MedSec for “trying to frighten patients and caregivers.”
Ultimately, the FDA was forced to issue its first ever warning about the security of a pacemaker earlier this year, though the agency somewhat downplayed the potentially fatal ramifications:
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”
Inappropriate, indeed. St. Jude Medical has since been acquired by Abbott Laboratories, and back in April the FDA sent a warning to Abbott that it needed to design a comprehensive plan to fix the flaw (first revealed in August of last year) within fifteen days. That was followed up with a formal, voluntary recall notice issued by the FDA regarding the impacted pacemaker, believed to be the first such warning of its kind. In its warning, the FDA urged the estimated 400,000 owners of this pacemaker model to schedule a physician appointment for a firmware update, lest they find themselves quite literally hacked.
The FDA’s alert was also joined by a warning by the Department of Homeland Security outlining the problem as such:
“The pacemaker?s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications….The pacemakers do not restrict or limit the number of correctly formatted ?RF wake-up? commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life.”
Comforting. Many security experts have been quick to point out that this may be the turning point at which companies finally begin taking these sorts of problems more seriously. But the lengths it took to bring us to this point are downright comical, involving MedSec going so far as to at one point short St. Jude stock to bring necessary attention to the problem. Hopefully, the entire saga is a shot over the bow that other security-apathetic medical impact manufacturers will wisely heed.