FDA Recalls Nearly 500K Pacemakers Found To Be Vulnerable To Cyber Hacking

Would you trust your life to a hacker? No, of course not, and neither does the US Food and Drug Administration. The FDA issued a recall of nearly half a million pacemakers after the organization discovered a vulnerability that makes several models susceptible to hacking. Once exploited, a hacker would be able to control the device's pacing and deplete the batteries.

"Many medical devices - including St. Jude Medical's implantable cardiac pacemakers—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates," the FDA warns.


So far there are no known cases of any pacemakers being hacked, though it is not inconceivable that someone would do such a thing. We are reminded of an incident back in 2008 when some jerks on the Internet descended on an epilepsy support forum and posted flashing pictures and links to pages overwhelmed with pulsating images, in an attempt to induce seizures.

The FDA estimates that around 465,000 implanted pacemakers in the US are affected. They include St. Jude Medical pacemakers and CRT-P devices from Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure. The good news for patients is that a firmware upgrade is available to address the vulnerability, meaning that corrective action can be done without removing or replacing these devices.

This represents the double-edged sword of technology, and wireless connectivity in particular. Pacemakers are devices that are installed in the upper chest area with insulated wires that go directly into the heart. This allows for the correction of irregular heartbeats that could otherwise be life threatening. Doctors use radio frequencies signals to adjust the pacemakers, but RF-enabled pacemakers do not require authentication. That leaves them vulnerable to remote hacking.

The updated firmware addresses this issue by requiring authorization when a device tries to communicate with an implanted pacemaker. In order to have the firmware updated, patients must make an in-person visit to their healthcare provider.