U.S. warns of cybersecurity f law in heart devices
FDA: Hacking potential exists
WASHINGTON — The Homeland Security Department warned Tuesday about an unusual cybersecurity flaw for one manufacturer’s implantable heart devices that it said could allow hackers to remotely take control of a person’s defibrillator or pacemaker.
Information on the security flaw, identified by researchers at MedSec Holdings months ago, was only formally made public after the manufacturer, St. Jude Medical, made a software repair available Monday. MedSec is a cybersecurity research company that focuses on the health care industry.
The government advisory said security patches will be rolled out automatically to patients with a device transmitter at home, as long as it is plugged in and connected to the company’s network. The transmitters send heart device data back to medical professionals.
Abbott Laboratories’ St. Jude said in a statement it was not aware of deaths or injuries caused by the problem. The Food and Drug Administration also said there was no evidence patients were harmed.
The federal investigation into the problem started in August.
MedSec CEO Justine Bone said on Twitter that St. Jude’s software fix did not address all problems in the devices.
St. Jude’s devices treat dangerous irregular heart rhythms. Implanted under the skin of the chest, the devices electronically pace heartbeats and shock the heart back to its normal rhythm when dangerous pumping patterns are detected.
The company’s Merlin@home Transmitter electronically sends details on the device’s performance to a website where the patient’s physician can review the information. But that device can also be hacked.
The FDA’s review is ongoing, agency spokeswoman Angela Stark said. Its investigation confirmed the vulnerabilities of the home transmitter, which could potentially be hacked and used to rapidly deplete an implanted device battery, alter pacing and potentially administer inappropriate and dangerous shocks to a person’s heart.
The software patch issued by St. Jude “addresses vulnerabilities that present the greatest risk to patients,” Stark said.