Half a million pacemakers need a security patch [source: nakedsecurity]
by CIRT Team
The US Food and Drug Administration (FDA) last month approved a firmware patch for pacemakers made by Abbott’s (formerly St Jude Medical) that are vulnerable to cybersecurity attacks and which are at risk of sudden battery loss.
Some 465,000 patients are affected. The FDA is recommending that all eligible patients get the firmware update “at their next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.”
Pacemakers are small devices used to help treat irregular heartbeats. The cybersecurity vulnerabilities were found in Abbott’s radio frequency- (RF-) enabled implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds).
The issues with St Jude Medical’s devices have been playing out for a while. In September 2016, the company sued Internet of Things (IoT) security firm MedSec for defamation after it published what St Jude said was bogus information about bugs in its equipment.
In January 2017, five months after the FDA and the Department of Homeland Security (DHS) launched probes into claims that St Jude Medical’s pacemakers and cardiac monitoring technology were vulnerable to potentially life-threatening hacks, security consultants at Bishop Fox confirmed the validity of MedSec’s findings. The company begrudgingly stopped fighting and litigating and issued security fixes.
The January updates were for the Merlin remote monitoring system, which is used with implantable pacemakers and defibrillator devices.
For more, click here.