The Food and Drug Administration on Tuesday issued an alert about the first recall of a network-connected implantable device due to cyber security vulnerabilities.
The agency is instructing patients with certain implantable cardiac pacemakers from St. Jude Medical – now owned by Abbott Laboratories – to visit their physicians for firmware updates to address cyber vulnerabilities that can potentially be remotely exploited by hackers and that pose safety concerns.
Approximately 465,000 such devices are in use in the U.S., an Abbott spokeswoman tells Information Security Media Group. She did not immediately have information about how many of these devices are used outside the U.S.
While the FDA has characterized the corrective action to address the vulnerabilities as a “voluntary recall” by the manufacturer, the Abbott spokeswoman stresses that neither the company nor the FDA is not recommending the “prophylactic removal and replacement of affected devices.” Rather, patients are being advised to have the devices’ firmware updated “at their next regularly scheduled visit” to their healthcare provider, the Abbott spokeswoman says.
A related Department of Homeland Security alert also issued on Tuesday notes that vulnerabilities include the Abbott pacemaker’s authentication algorithm, “which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via radio frequency communications.”
The recall of the Abbot cardiac devices is “a key moment in the evolution of connected medical devices,” says cyber security expert Joshua Corman, founder of grassroots cyber safety organization I Am the Cavalry and a member of the Department of Health and Human Services’ cyber task force. That group issued a report earlier this year with recommendations about how the healthcare sector can improve cyber security.
Making arrangements to have nearly a half million patients in the U.S. visit their healthcare provider for the firmware update “will be a logistical nightmare,” he says, despite Abbott and the FDA recommending that patients wait until their next regular appointment with physicians to do the update. Many worried patients are likely to seek appointments for the updates sooner than their regularly slated visits, he says.
And although there have been no reports of actual harm to patients due to hackers exploiting the vulnerabilities in the devices, “that number can go from zero to a lot of patients quickly” if hackers decide to launch attacks, Corman warns.
This recall is the most serious development so far related to medical device cyber security, Corman contends.
The FDA alert says the recall involves implantable cardiac pacemakers, including cardiac resynchronization therapy pacemakers under the names Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure. The alert does not apply to any implantable cardiac defibrillators or to cardiac resynchronization ICDs, the FDA says.
The FDA notes that on Aug. 23, it approved the firmware update “that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cyber security vulnerabilities for certain Abbott pacemakers.