Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

FDA Approves Firmware Fix for St Jude Pacemakers

The US Food and Drug Administration (FDA) has approved new firmware from Abbott Laboratories designed to fix vulnerabilities in its St Jude cardiac pacemakers which could allow hackers to deplete the device battery.

Abbott-owned St Jude Medical was at the centre of a legal storm last year after suing security firm MedSec and short seller Muddy Waters for publishing what it claimed to be false info about bugs in its equipment.

It argued this strategy helped them make money off the stock market when shares in St Jude inevitably fell on the news.

However, since then the firm has been forced to address some of the issues highlighted by MedSec by releasing security fixes for some products, as it did in January.

Now the FDA has approved another fix for St Jude RF-enabled implantable cardiac pacemakers, which number 465,000 in the US.

It explained:

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

Users will need an in-patient update with their healthcare provider, taking just three minutes.

However, the FDA warned of a potential – but very small – update failure which could result in: reloading of the previous firmware version; loss of programmed settings; loss of diagnostic data; or complete loss of device functionality.

The agency warned that any medical device connected to a communications network could theoretically be exploited by unauthorized users, and urged prompt reporting of “adverse events”.

What’s Hot on Infosecurity Magazine?