Heart device has flaw in cybersecurity, U.S. warns
Hackers could access pacemaker, defibrillator
WASHINGTON — The Homeland Security Department has warned about an unusual cybersecurity flaw for one manufacturer’s implantable heart devices that it said could allow hackers to remotely take control of a person’s defibrillator or pacemaker.
Information on the security flaw, identified by researchers at MedSec Holdings in reports months ago, was only formally made public after the manufacturer, St. Jude Medical, made a software repair available this week.
The government advisory said security patches will be rolled out automatically over months to patients with a device transmitter at home, as long as it is plugged in and connected to the company’s network. The transmitters send heart device data back to medical professionals.
Abbott Laboratories’ St. Jude said in a statement it was not aware of deaths or injuries caused by the problem. The Food and Drug Administration also said there was no evidence patients were harmed.
The federal investigation into the problem started in August.
MedSec CEO Justine Bone said on Twitter that St. Jude’s software fix did not address all problems in the devices.
St. Jude’s devices treat dangerous irregular heart rhythms that can cause cardiac failure or arrest. Implanted under the skin of the chest, the devices electronically pace heartbeats and shock the heart back to its normal rhythm when dangerous pumping patterns are detected.
The company’s Merlin@home Transmitter electronically sends details on the device’s performance to a website where the patient’s physician can review the information. But that device can also be hacked.
The FDA’s review is ongoing, agency spokeswoman Angela Stark said. Its investigation confirmed the vulnerabilities of the home transmitter, which could potentially be hacked and used to rapidly deplete an implanted device battery, alter pacing and potentially administer inappropriate and dangerous shocks to a person’s heart.
The software patch issued by St. Jude “addresses vulnerabilities that present the greatest risk to patients,” Stark said.
Stark said the company is working to address remaining vulnerabilities quickly. She said any new cardiac devices submitted to the FDA for review that use the affected transmitter will not be cleared or approved without the software update.
St. Jude disclosed details about the problem after it merged with Abbott. The company has previously denied findings that their devices could be hacked and filed a lawsuit against Muddy Waters LLC and MedSec, alleging that they tried to manipulate the markets to profit from the vulnerability disclosures.
The revelations shed light on the pressing problems of cybersecurity in an increasingly networked world.