Posted 30 August 2017
By Michael Mezher
Medical device maker Abbott on Monday announced it is voluntarily recalling some 465,000 pacemakers to install a firmware update to patch cybersecurity vulnerabilities in the devices.
The recall affects six pacemaker models—Accent, Accent MRI, Accent ST, Allure, Anthem and Assurity—that Abbott acquired when it completed its purchase of St. Jude Medical last January.
Patients with the devices are being told to speak to their doctors to determine whether they should receive the update, which will require an in-person visit to install.
The vulnerabilities, which could allow an attacker to modify the devices' pacing commands or cause premature battery depletion, first came to light in a 2016 report by short-seller Muddy Waters based on research done by cybersecurity firm MedSec Holdings.
The US Food and Drug Administration (FDA) says it reviewed and approved the updated firmware, which will limit the number of commands the devices can receive wirelessly and prevent the transmission of unencrypted data.
Abbott says that new pacemakers made as of 28 August will come pre-patched with the update, and both the company and FDA say that already-implanted devices should not be physically replaced due to cybersecurity concerns.
According to Abbott, the update itself should take around three minutes, during which the devices will operate on a backup mode that keeps pacing at 67 beats per minute.
The company also says the risks of performing the update are low based on its previous experience with firmware updates. The risks, which include reloading previous firmware due to an incomplete installation, loss of currently programmed settings and loss of device functionality all occur at rates well below 1%.
But as a precaution, Abbott says that pacing dependent patients should be given the update in a facility where temporary pacing and a pacemaker generator are on hand.
This marks the second time Abbott has issued a cybersecurity-related update for its St. Jude cardiac devices. Just days after Abbott completed its acquisition of St. Jude, the company released a software update to address vulnerabilities in its Merlin@home devices, which are used to transmit patient data from the company's implantable pacemakers and defibrillators to physicians.
Both Abbott and FDA say there are no known reports of cyberattacks targeting any of the devices, and the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) says that a hacker would need to possess "high skill" to exploit the vulnerabilities.
FDA, Abbott, DHS