The Homeland Security Department issued a warning on Tuesday about a cyber security flaw for heart implant devices that could allow hackers to take control of a person’s defibrillator or pacemaker.
The security flaw was detected months ago by researchers at MedSec Holdings but was only recently made public after the manufacturer, St. Jude Medical, made a software update available earlier this week.
Security updates will be rolled out automatically over the next months to patients who hook up their device transmitters at home and connect to the company’s network. The transmitters send heart device data back to doctors.
Both the Food and Drug Administration and Abbott Laboratories’ St. Jude said there was no evidence patients were harmed due to the cybersecurity flaw.
The devices are used to treat dangerous heart conditions that could lead to cardiac arrest or failure. Implanted just beneath the skin on the chest, the devices pace heartbeats and shock the heart back to its normal rhythm if irregular pumping patterns are detected. Then, the Merlin@home Transmitter electronically sends information to a website where physicians can review their patient’s information. However, the transmitter device is also vulnerable to hacking.
The FDA’s review is ongoing. If the home transmitter were to be hacked, the implant’s battery could be quickly drained, change heart pacing, and possible administer dangerous shocks to a person’s heart.
The latest software updates address those vulnerabilities, but the company is still working to quickly fix other potential cyber security patches. A spokesperson for the FDA said that the agency is working on approving new devices but will not approve any without the software update.
This cybersecurity vulnerability highlights the increasing dangers of hacking and their potentially devastating impact.
Matthew Green, an assistant professor for Computer Science at Johns Hopkins University, was hired by Muddy Waters to help validate the MedSec findings after St. Jude filed its lawsuit. “Your average patient isn’t going to be targeted by assassins,” said Green. “An attack on this level is low-probability but very high-impact…probably the most impactful vulnerability I’ve ever seen.”
Green also explained that many of the more severe vulnerabilities that have been identified in the devices have not yet been fixed, but the latest software would at least make the home system a bit more secure.
The FDA urged manufacturers to update their devices and software from at least 2013. Currently, the FDA does not review a majority of the cyber security updates made to the devices but rather under their own rules intended to streamline medical device upgrades.