Over 500,000 pacemakers developed by medical device maker Abbott have been shown to contain cyber-security issues.
The Food and Drug Administration (FDA) revealed that 465,000 implanted devices in the US contain potential cyber-security issues that could cause patient harm. Abbott later told the BBC that a further 280,000 devices are affected elsewhere.
The cyber-security issues enable the devices to be potentially accessed by third-parties, allowing changes to be made to the way the pacemakers operate. The FDA states that the potential exploits ‘could result in patient harm from rapid battery depletion or administration of inappropriate pacing’.
Abbott has responded to the FDA’s concerns by developing a firmware update that includes new and additional security measures.
Robert Ford, executive vice president, Medical Devices, Abbott, said: “Connected devices are having a significant positive impact for patients and their health. To further protect our patients, Abbott has developed new firmware with additional security measures that can be installed on our pacemakers."
The company went on to state that there have been no reports of any of the devices being accessed by third-parties. The US Department of Homeland Security also advised that unauthorised access of the devices would ‘require a highly complex set of circumstances’.
The FDA has approved the update that Abbott has developed. The update requires that any device attempting to access the implanted pacemaker must have authorisation. The update is available now and takes approximately three minutes to install. Abbott states that during this time the pacemaker will operate in back-up mode, with essential features remaining available. The update requires an in-person visit to install and Abbott are telling patients that they should speak to their doctor about whether they should receive the update.
The FDA warns there is a very low risk of a malfunction occurring during the update. Problems that could occur include reloading of previous firmware version due to incomplete data, loss of currently programmed device settings, loss of diagnostic data and complete loss of device functionality.
As a precaution Abbott is recommending that patients get the update installed where temporary pacing and a pacemaker generator change are available.
Any new pacemakers developed from 28 August will already have the update installed.
Ford continued: “All industries need to be constantly vigilant against unauthorized access. This isn't a static process, which is why we're working with others in the healthcare sector to ensure we're proactively addressing common topics to further advance the security of devices and systems."