Monday, September 11, 2017

FDA Recalls Nearly 500,000 Pacemakers Due to Fear of Their Cyber Security



Cybersecurity in healthcare is now starting to really gain some main stream attention.  I’ve been following this trend for the last 2 years or so and I’ve been waiting for an event like this to transpire.  It usually takes having money involved/stolen/moved/lost or spent to bring attention to some type of hack or hackable system (BTW the term “hackable system” is an oxymoron the shame from which I must bear as its inventor).  

Now, however, we’ve seen the focus shift to the healthcare sector due to a threat on human life.  That’s right, lives are at stake due to hacking and I’m talking about one life at a time.  Obviously, things like hacking the power grid could cause loss of life, but the real and present danger of this situation is that someone could hack an implanted pacemaker, making it brick itself or increasing the heart rate to a dangerous/fatal level.

When the concept of these devices was first conceived, the prevailing thought was how convenient and safe it would be that a doctor could adjust a pacemaker in their office with no physical contact with the patient.  Safe, sterile, fast seemed to make this the Holy Grail of pacemaker monitoring and communication.  Unfortunately we cannot count on human beings to do the right things.  Just like the old adage of “make an idiot proof system and they just make better idiots”, we’ve now entered the realm of “making something hackable and someone will hack it”.  We thought Ransomware of our data was a scourge, imagine what someone holding your pacemaker hostage would be like.

The problem I’m seeing here is that, unfortunately, this is just the tip of a very, very big healthcare IT security iceberg.  There are lots of legacy systems out there right now running on Windows XP (and we all know he secure that has to be at this point).  Those systems could easily be hacked and reprogrammed, bricked, etc.  What happens to the patients dependent on those systems?

Lately there has been a heavy duty hue and cry over security in the Internet of Things (IoT).  For those of you unaware, that term applies to things like thermostats, cameras, appliances, etc that are connected to the Internet via WiFi.  While I’ll agree that having your connected home hacked could be a major hassle, it pales in comparison to what could happen with an appliance inside your body is taken over.

Let me be sure to tell you that there is no recorded incident of someone tinkering with pacemakers, but the potential certainly exists and MUST be dealt with in this and every other medical device that is potentially subject to compromise.

If you or a loved one is dealing with this pacemaker problem, here is some good info from the FDA:


Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication




  • Patients with a radio frequency (RF)-enabled St. Jude Medical implantable pacemaker
  • Caregivers of patients with an RF-enabled St. Jude Medical implantable cardiac pacemaker
  • Cardiologists, electrophysiologists, cardiothoracic surgeons, and primary care physicians treating patients with heart failure or heart rhythm problems using an RF-enabled St. Jude Medical implantable cardiac pacemaker


Medical Specialties


Cardiac Electrophysiology, Cardiology, Cardiothoracic Surgery, Heart Failure




Abbott's (formerly St. Jude Medical's) implantable cardiac pacemakers, including cardiac resynchronization therapy pacemaker (CRT-P) devices, provide pacing for slow or irregular heart rhythms. These devices are implanted under the skin in the upper chest area and have connecting insulated wires called "leads" that go into the heart. A patient may need an implantable cardiac pacemaker if their heartbeat is too slow (bradycardia) or needs resynchronization to treat heart failure.


The devices addressed in this communication are the following St. Jude Medical pacemaker and CRT-P devices:


  • Accent
  • Anthem
  • Accent MRI
  • Accent ST
  • Assurity
  • Allure


This communication does NOT apply to any implantable cardiac defibrillators (ICDs) or to cardiac resynchronization ICDs (CRT-Ds).

For the full statement and information from the FDA, here is the link.  

No comments:

Post a Comment