Federal regulators said Monday that scores of pacemakers and implantable heart defibrillators made by St. Jude Medical are vulnerable to computer hacking, but a security patch is ready to address the problem.
On Monday, the U.S. Food and Drug Administration published a public safety notice confirming it is possible for a hacker to remotely compromise security in St. Jude's wireless communication network and then secretly change commands in a pacemaker or implantable defibrillator while it's still wired to a patient's heart.
The potential for such attacks was first alleged by an investment firm last August. Such an attack could cause a lifesaving device to rapidly deplete its battery or give inappropriate electric shocks. However, federal officials stress there has never been a documented case of a cyberattack intended to harm a patient.
"As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates," the FDA's Monday safety alert says.
Cybersecurity researchers with the FDA and the Department of Homeland Security confirmed the vulnerabilities less than a week after St. Jude Medical was acquired by Illinois' Abbott Laboratories in a $23 billion deal. Abbott's announcement of the software patch was published under the old St. Jude logo.
"We've partnered with agencies such as the U.S. Food and Drug Administration and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team unit and are continuously reassessing and updating our devices and systems, as appropriate," said a statement from Phil Ebeling, the St. Jude executive who became chief technology officer for Abbott's cardiovascular-device business.
The investment firm that first publicized cybersecurity problems with St. Jude devices last August took a victory lap of sorts in public statements but also expressed skepticism about St. Jude's new software update.
The FDA announcement "reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities," said Carson Block, founder of financial research and trading firm Muddy Waters, which revealed the problems. "Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants."