Aug. 31 (UPI) — The Food and Drug Administration issued an alert this week for a voluntary recall of approximately 500,000 pacemakers that are vulnerable to being hacked.
The company that makes the pacemakers, Abbott — formerly known as St. Jude — is recalling the devices “to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities,” the FDA said.
The models of pacemakers and cardiac resynchronization therapy pacemaker devices affected by the recall include the Accent, Anthem, Accent MRI, Accent ST, Assurity and the Allure.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the FDA said. “This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”
Despite the vulnerability detected, the FDA said there have been no known cases of any of these pacemakers getting hacked.
Patients who use any of the pacemakers on the list are advised to consult their physician for information on getting a firmware update in the device, which is supposed to secure against the hacking vulnerability.
The hacking of medical devices like pacemakers is a growing concern for the cybersecurity and medical community. In 2012, the Government Accountability Office advised the FDA to expand its focus on these threats.
“Medical devices may have several such vulnerabilities that make them susceptible to unintentional and intentional threats, including untested software and firmware and limited battery life,” the GAO said. “Information security risks resulting from certain threats and vulnerabilities could affect the safety and effectiveness of medical devices. These risks include unauthorized changes of device settings resulting from a lack of appropriate access controls.”