IoT security concerns prompt massive pacemaker recall
Abbott Labs recall impacts six different pacemaker models
The U.S. Food and Drug Administration (FDA) issued a recall of nearly half a million pacemakers out of concern that IoT security loopholes could allow hackers to breach the internet of things (IoT) health care devices. The recall impacted six pacemaker models, Accent, Accent MRI, Accent ST, Allure, Anthem and Assurity, all of which were acquired by global healthcare company Abbott Labs from St. Jude Medical in January 2016.
These types of medical devices, embedded with configurable computer systems, enable health professionals to make adjustments to implanted technologies without resorting to invasive and dangerous medical procedures. Unfortunately, this can also allow non-health professionals, like hackers, to can gain access to the pacemakers from the outside. In theory, hackers could run down the battery life in these pacemakers or even trigger irregular heartbeats. Thus far, there have been no reports of cyber intrusion among the 465,000 individuals affected by the recall.
Patients do not have to have their pacemakers physically removed. Rather, Abbott issued a firmware update to patch the security loopholes. Patients must visit their healthcare provider for the update, where a specialist will set the device to work in backup mode. The update takes about three minutes. The company said risks attached to the update are low.
“Every pacemaker manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device and those devices will not need to be updated,” St. Jude Medical Center wrote in a statement. “Based on Abbott’s consultation with U.S. Food and Drug Administration (FDA), this update is being treated as a field action; however, the devices continue to function as intended and replacement of implanted pacemaker devices is not recommended.”
Abbott was issued a warning letter by the FDA in April 2017, citing manufacturing flaws in a number of cardiovascular devices acquired through the St. Jude Medical acquisition in January for $25 billion. Once the letter was made public, Abbott’s shares went down 2% to $42.61. These concerns were fanned by an inspection of a company facility based Sylmar, Calif., in which the FDA said Abbott did not disclose at least one death associated with one of the devices.
This marks the second update for heart implants issued by Abbott. A few days after the company finished its acquisition of St. Jude, the organization issued software updates for vulnerabilities in its Merlin@home devices. The devices transfer patient data from pacemakers and defibrillators to doctors and physicians.
Abbott isn’t the only company struggling to secure its medical devices. For example, over the course of a review of a new line of implantable cardiac defibrillators last December, British and Belgian researchers discovered security issues in 10 Implantable Cardioverter Defibrillators (ICDs) on the market.