The US Food and Drugs Administration (FDA) has issued a warning that a number of pacemakers are vulnerable to hackers, who could potentially stop the devices and kill people.
The FDA said that medical devices, specifically Merlin@home transmitters manufactured by St Jude Medical, can be infiltrated by hackers, who can send various commands to the devices to stop them or emit electrical shocks.
The transmitters are part of a home monitor system that can connect to pacemakers and other implanted cardiac devices.
‘The altered Merlin@home transmitter could be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks’
– FDA
The FDA has issued the warning to patients and caregivers as well cardiologists, electrophysiologists and cardiothoracic surgeons.
Hacking can kill
“Many medical devices – including St. Jude Medical’s implantable cardiac devices – contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates,” the FDA said in a statement.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St Jude Medical’s Merlin@home transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorised user (ie someone other than the patient’s physician) to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home transmitter.
“The altered Merlin@home transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”
The FDA said that there have been no reports of patient harm related to these vulnerabilities so far.
For its part, St Jude Medical pointed out that all medical devices using remote monitoring run the risk of a potential cybersecurity attack and that no incidents have occurred related to one of their devices.
It said that it has made several software updates in the last three years to the Merlin@home transmitter alone.
“We’ve partnered with agencies such as the US Food and Drug Administration and the US Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team unit, and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice-president and chief technology officer at St Jude Medical.