Abbott has released a software security update to protect its cardiac pacemakers from hacking. The firmware update is intended to fix a cybersecurity weakness that allowed hackers to affect the battery life and pacing of 465,000 devices implanted in patients in the U.S.
The FDA signed off on the update last week, clearing healthcare providers to start moving their patients over to the new firmware. Patients will need to visit their doctors to receive the update, which is delivered by holding a wand over the site of the implant. Based on the failure rate of previous firmware updates, Abbott thinks there is a less than 0.03% chance of the device losing its settings or functionality.
Abbott and the FDA are advising doctors and patients to discuss these risks and the cybersecurity dangers the patch addresses at their next scheduled visit. In some cases, the risks may necessitate the performance of the procedure at a facility with a temporary pacemaker generator. Neither organization recommends the prophylactic removal of the devices.
Patients with unpatched devices are vulnerable to hacking. The FDA has reviewed information that suggests hackers could use commercially-available equipment to gain access to a patient’s device. Once the hacker has control, they can rapidly deplete the battery or alter the pacing, putting the health of patients who rely on their pacemakers at risk.
“To address these cybersecurity vulnerabilities and improve patient safety, [Abbott subsidiary] St. Jude Medical has developed and validated this firmware update as a corrective action for all of their RF-enabled pacemaker devices. The FDA has approved St. Jude Medical's firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm,” the FDA wrote.
Abbott’s update tries to close off the vulnerability by requiring devices to provide authorization to communicate with implanted pacemakers. The Merlin Programmer and Merlin@home Transmitter will provide the authorization.
The patch comes eight months after Abbott released an update intended to fix a vulnerability with the device now providing pacemaker authorization, namely Merlin@home Transmitter. This home monitor wirelessly reads and shares data stored on implanted cardiac devices. And the pre-patch monitor provided hackers with a different way to achieve the same outcomes that necessitated the latest update, namely rapid battery depletion and inappropriate pacing.
The FDA criticized the process St. Jude, now part of Abbott, followed when it made the fixes to its Merlin@home products. St. Jude patched the products after short-seller Muddy Waters Capital outlined the vulnerability in a report. But, as the FDA saw it, the device maker failed to follow its corrective and preventive action (CAPA) procedures and ensure all vulnerabilities were closed off.
“Your firm did not confirm all required corrective and preventive actions were completed, including a full root cause investigation and the identification of actions to correct and prevent recurrence of potential cybersecurity vulnerabilities, as required by your CAPA procedures”, the FDA wrote in its warning letter.
Now, 12 months after Muddy Waters published the report, Abbott has identified and fixed another cybersecurity vulnerability. All devices made from August 28 will come with the updated firmware.