The Food and Drug Administration is alerting people to a voluntary recall of 465,000 pacemakers after security vulnerabilities were discovered that could let hackers reprogram the devices, potentially putting patient lives at risk.
Several devices from Abbott (formerly known as St. Jude Medical) are included in the recall, which the FDA says is intended as a “corrective action”, including the Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure.
The good news: If you’re affected by the recall, you won’t have to have the pacemaker removed and replaced. (In fact, the FDA recommends against that.) Officials say the vulnerability can be fixed with an upgrade to the device’s firmware, something that takes just three minutes or so to complete. (While the system is updating, the device will work in backup mode, ensuring its essential features remain in operation.)
The FDA says there have been no known reports of patients being harmed by the vulnerability to date. The recall does not apply to any implantable cardiac defibrillators (ICDs) or cardiac resynchronization ICDs.
White hat hackers have previously pointed out the risks with connected medical devices. In its announcement, the FDA noted that this vulnerability could allow third parties to rapidly drain the pacemaker’s battery or adjust the operation of the device.
“The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” the organization said. “However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery.”
Abbott, in a statement, said it is focused on ensuring any vulnerabilities are swiftly addressed.
“As we’ve said before, Abbott is resolving all old St. Jude Medical issues,” the company said. “These planned updates further strengthen the security and device management tools for our connected cardiac rhythm management devices. The cybersecurity landscape is always changing, which is why we’re working across the healthcare sector to proactively address issues that affect all connected technologies.”
Editor’s note: This post has been updated to indicate that the recall is voluntary.