An FDA First: Cyber Recall for Implantable DeviceCardiac Pacemakers Require New Firmware to Fix Vulnerabilities
The Food and Drug Administration on Tuesday issued an alert about the first recall of a network-connected implantable device due to cybersecurity vulnerabilities.
See Also: Move Beyond Passwords
The agency is instructing patients with certain implantable cardiac pacemakers from St. Jude Medical - now owned by Abbott Laboratories - to visit their physicians for firmware updates to address cyber vulnerabilities that can potentially be remotely exploited by hackers and that pose safety concerns.
Approximately 465,000 such devices are in use in the U.S., an Abbott spokeswoman tells Information Security Media Group. She did not immediately have information about how many of these devices are used outside the U.S.
While the FDA has characterized the corrective action to address the vulnerabilities as a "voluntary recall" by the manufacturer, the Abbott spokeswoman stresses that neither the company nor the FDA is recommending the "prophylactic removal and replacement of affected devices." Rather, patients are being advised to have the devices' firmware updated "at their next regularly scheduled visit" to their healthcare provider, the Abbott spokeswoman says.
A related Department of Homeland Security alert also issued on Tuesday notes that vulnerabilities include the Abbott pacemaker's authentication algorithm, "which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via radio frequency communications."
The recall of the Abbot cardiac devices is "a key moment in the evolution of connected medical devices," says cybersecurity expert Joshua Corman, founder of grassroots cyber safety organization I Am the Cavalry and a member of the Department of Health and Human Services' cyber task force. That group issued a report earlier this year with recommendations about how the healthcare sector can improve cybersecurity.
Making arrangements to have nearly a half million patients in the U.S. visit their healthcare provider for the firmware update "will be a logistical nightmare," he says, despite Abbott and the FDA recommending that patients wait until their next regular appointment with physicians to do the update. Many worried patients are likely to seek appointments for the updates sooner than their regularly slated visits, he says.
And although there have been no reports of actual harm to patients due to hackers exploiting the vulnerabilities in the devices, "that number can go from zero to a lot of patients quickly" if hackers decide to launch attacks, Corman warns.
This recall is the most serious development so far related to medical device cybersecurity, Corman contends.
The recall comes in the wake of a letter that the FDA sent in April to Abbott, warning the medical device maker that it must submit a plan within 15 days to address the cybersecurity vulnerabilities that were first disclosed in August 2016 in a third-party research report.
That report, issued by short-sell investment firm Muddy Waters Capital, was based on findings by MedSec Holdings, a security research firm that reportedly has a financial arrangement with Muddy Waters.
While the Muddy Waters/MedSec report highlighted important cybersecurity issues concerning the St. Jude medical devices, the controversial manner in which the research was released - by an investment company - and its financial arrangement with "ethical hacker" MedSec, which found the vulnerabilities, drew criticism from the healthcare industry.
Typically, when independent researchers discover cybersecurity vulnerabilities in medical devices, they first notify federal agencies, including the FDA or the Department of Homeland Security, as well as the affected manufacturers before disclosing the flaws. But the FDA has confirmed that Muddy Waters did not notify the agency until after the firm publicly released its findings (see Report on Cardiac Device Cyber Vulnerabilities Fuels Debate).
The FDA alert says the recall involves implantable cardiac pacemakers, including cardiac resynchronization therapy pacemakers under the names Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure. The alert does not apply to any implantable cardiac defibrillators or to cardiac resynchronization ICDs, the FDA says.
The FDA notes that on Aug. 23, it approved the firmware update "that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott pacemakers.
"The FDA recommends that patients and their healthcare providers discuss the risks and benefits of the cybersecurity vulnerabilities and the associated firmware update designed to address such vulnerabilities at their next regularly scheduled visit."
Abbott pacemakers manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device and will not need the update, the FDA says.
The agency says the firmware update requires an in-person visit with a healthcare provider; the devices cannot be updated from home. "The update process will take approximately 3 minutes to complete. During this time, the device will operate in backup mode ... and essential, life-sustaining features will remain available. At the completion of the update, the device will return to its pre-update settings," the FDA alert states. "As with any firmware update, there is a very low risk of an update malfunction."
The FDA's alert also provides recommendations for how healthcare providers can carry out the updates.
"Determine if the update is appropriate for the given patient based on the potential benefits and risks," the FDA instructs. "If deemed appropriate, install the firmware update following the instructions on the programmer. For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided."
In a Tuesday statement, Abbott notes: "There have been no reports of unauthorized access to any patient's implanted device, and according to an advisory issued by the U.S. Department of Homeland Security, compromising the security of these devices would require a highly complex set of circumstances."
Abbott says it will continue to make updates and product enhancements across its devices as part of the company's "ongoing commitment to provide safe, effective and secure products" for patients.
"All industries need to be constantly vigilant against unauthorized access," said Robert Ford, Abbott's executive vice president, medical devices. "This isn't a static process, which is why we're working with others in the healthcare sector to ensure we're proactively addressing common topics to further advance the security of devices and systems."