Federal health officials have issued a recall for nearly 500,000 St. Jude pacemakers to fix cybersecurity vulnerabilities, which may allow the devices to be hacked or subject to outside interference, potentially exposing sensitive health information and placing patients with the implanted heart devices at risk of harm.
The U.S. Food and Drug Administration (FDA) announced the St. Jude pacemaker hacking fix in a notice published on August 29, after a approving a firmware update issued by Abbott, which acquired St. Jude Medical earlier this year.
The software fixes a vulnerability to cybersecurity hacking, information exploitation, and function alteration of the recalled St. Jude devices, which include implantable cardiac pacemakers and cardiac resynchronization therapy pacemakers that provide pacing for slow or irregular heart rhythms.
The devices are implanted under the skin in the upper chest area and have connecting insulated wires, known as leads, that connect to the heart to provide pacing treatments and resynchronization to treat heart failure.
The St. Jude pacemaker hacking risks were previously identified in a report released by Muddy Waters Capital LLC, which outlined how the transmittal of certain data from heart devices to physicians “lacked even the most basic security defenses” such as encryption, anti-tampering devices and anti-debugging tools, which are used by other heart device manufacturers.
Last year, after consumers began to learn about the potential security problems, a St. Jude pacemaker class action lawsuit was filed in the United States District Court Central District of California, seeking to pursue damages on behalf of all individuals who received certain devices with radiofrequency telemetry capability.
The lawsuit claims that the manufacturer failed to adequately protect patients from cybersecurity risks and exploitation of personal and confidential health information that could have been accessed from hacking into the wireless devices.
The pacemaker firmware update was approved by the FDA on August 23,to prevent unauthorized access to the devices and reduce the risk of patient harm.
Cybersecurity threats to the medical field have been a growing concern over the last few years, as vulnerabilities to healthcare organizations’ record systems and medical devices have surfaced
Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.
The FDA recognizes the advancements in technology in the medical field and has pushed for advanced cybersecurity protections for patients as devices, associated computers, networks and programs may be vulnerable to unintended access, change or destruction due to hacking events.
Since 2013, the FDA has been actively working to address problems with cyber security in the medical field and has even called on both the public and private sectors to collectively strengthen the gap in cybersecurity infrastructure.
In January 2016, the FDA issued its second guidance to the medical field recommending medical device manufacturers to incorporate strong anti-hack programs during the design stages of new devices.
Separate from the cybersecurity risks, St. Jude pacemakers have been subject to prior recalls for battery failure problems, which federal regulators categorized as a class I medical device recall in October 2016, suggesting that the defect poses a serious and potentially life-threatening risk to more than 400,000 patients with the implanted devices.
In that recall announcement, the FDA confirmed that at least two deaths have been identified, including one in the U.S., which occurred after premature battery depletion and failed to give life-saving shocks. Another 10 patients, including 9 in the U.S., have reportedly fainted due to the same problems. Another 37 patients, including 30 in the U.S., have reported dizziness.