Industry Updates

Massive Pacemaker Recall Over Hacking Threat

The FDA recently issued a recall order on nearly half a million pacemakers that have serious security flaws. They could allow hackers to take control of them, run their batteries dry or even modify a patient’s heartbeat, putting their lives at risk.

The recall order impacts six different types of pacemakers, manufactured by Abbott (formerly St. Jude Medical), and include the following models:

• Allure
• Assurity
• Accent ST
• Accent MIR
• Anthem
• Accent

The FDA had this to say in a related security advisory:

“Many medical devices, including St. Jude Medical’s implantable cardiac pacemakers, contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”

This is something we’ve seen and written about before. Too few manufacturers of “smart” devices pay any attention to security, which makes the devices they sell almost laughably easy to hack and control.

Until we begin holding equipment manufacturers to account, they have no particular incentive to incorporate more robust security features. So far, customers haven’t been insisting on changes, which makes the FDA’s more active stance a welcome change indeed.

This, taken together with the fact that the government is considering implementing minimum security standards for any device they purchase, should at least begin to make smart device equipment manufacturers take notice and start implementing more robust security.

Unfortunately, where medical equipment is concerned, it’s entirely possible that hackers could literally kill someone by taking control of a device they rely on, so this matters a great deal.

In any case, if you have one of the pacemakers mentioned above installed, or if you know someone who does, be aware that you’ll need to get it replaced, or run the risk that a hacker could take control of your continued health and well-being.