In what some researchers and consultants term one of the most bizarre instances to date involving healthcare cybercrime, St. Jude Medical is recalling nearly 500,000 pacemakers over fears of the devices being hacked or breached.
St. Jude, a medical device maker that’s a business unit of Abbott Laboratories, followed an advisory order issued by the Food and Drug Administration to send letters to about 465,000 patients who have a certain type of St. Jude pace maker. Specifically, the voluntary recall issued late last week affects 465,000 radio frequency-enabled implantable pacemakers and covers various models such as the Allure, Accent, Anthem, Accent MRI, Accent ST and Assurity.
The recall requires patients to schedule an appointment with their healthcare provider or cardiologist and submit to a three-minute procedure for a software security update to the pacemaker.
Implantable cardiac pacemakers, including cardiac resynchronization therapy pacemaker (CRT-P) devices, provide pacing for slow or irregular heart rhythms. The devices are implanted under the skin in the upper chest area and have connecting insulated wires called “leads” that go into the heart. A patient may need an implantable cardiac pacemaker if his heartbeat is too slow or needs resynchronization to treat heart failure.
Many pacemakers today are equipped with radio-frequency identification, which uses radio waves to read and capture information stored on a tag attached to an object—in this case a medical device. The use of wireless pacemakers helps doctors and other providers better capture heart-rate data and other metrics that can be stored and analyzed in the patient’s electronic health record.
Modern-day wireless pacemakers can be subject to a range of cybersecurity and data breach problems. “Any medical devices, including St. Jude Medical’s implantable cardiac pacemakers, contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits,” the FDA says. “As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”
In some cases that read like the plot to a spy novel or a murder mystery, a cybercriminal might be able to access a wireless pacemaker to cause the patient to have an irregular heartbeat and suffer a heart attack or even die, say healthcare security experts. But in more likely instances, cybercriminals could access a wireless pacemaker to gain unauthorized access to a person’s electronic medical records or to an entire healthcare database or computer system.
“There’s a wide range of problems hacking into a wireless pace maker creates,” says Doug Pollack, chief strategy officer at ID Experts, a provider of data breach response services and identity protection software. “But the biggest problem is just how vulnerable the healthcare system is from all kinds of unprotected or under-protected mobile devices that can range from the smartphones and tablets doctors and nurses use to wireless medical devices.”
Abbott, which acquired St. Jude Medical in a deal valued at $25 billion in January, last week notified physicians of planned updates to its implantable pacemakers and defibrillators, including a security patch and a battery performance alert that provides physicians with earlier warning of the potential for the low risk of premature battery depletion. “Connected devices are having a significant positive impact for patients and their health,” says Robert Ford, Abbott executive vice president, medical devices. “To further protect our patients, Abbott has developed new firmware with additional security measures that can be installed on our pacemakers.”
Abbott and the FDA say they are unaware of any data breaches thus far for wireless pacemakers. But for medical device-makers, better encryption and other preventive measures need to be included in the design phase of the pacemaker—and not later down the line.
“Hacks and data breaches for devices such as wireless pacemakers is not a new problem,” says Ben Goodman, president of 4A Security & Compliance, which provides security risk assessment, vulnerability assessment, penetration testing, open-source reconnaissance and threat analysis for healthcare companies, among others. “Security testing was not an integral part of the design before and now it needs to be.”