For the first time, a medical device has been recalled in the US for its vulnerability to hacking, with thousands of Australians also believed to be implanted with at-risk pacemakers.
About 465,000 devices are affected by the Food and Drug Administration’s unprecedented recall, which follows its investigation in February into the cybersecurity risk to cardiac implants enabled for remote monitoring.
Threats include hackers remotely draining batteries or forcing pacemakers to alter patient heart rates.
The pacemakers were produced by medical device company Abbott, formerly St Jude Medical, which has an estimated 20 per cent of the market in Australia. About 6000 Australians are estimated to be implanted with affected devices.
The company this week said it had notified clinicians of updates for its pacemakers and implantable cardioverter defibrillators (ICDs) and in a statement said replacement of the devices is not recommended.
The software updates include a battery performance alert for ICDs to provide doctors with earlier warnings of premature battery depletion. A planned update to the pacemaker firmware will add additional security protections designed to reduce the possibility of unauthorised access.
“Connected devices are having a significant positive impact for patients and their health,” Abbott executive vice president of medical devices Robert Ford said.
“To further protect our patients, Abbott has developed new firmware with additional security measures that can be installed on our pacemakers.”
According to the company, there have been no reports of unauthorised access to any patient’s implanted device.
Compromising the security of these devices would require a complex set of circumstances, security advisor at Hive Intelligence Nick Ellsmore said.
“The targeted delivery of such an attack could be the challenging part, and such an attack would require physical access to the device, or at least physical proximity to attack via Bluetooth or a similar low-range protocol,” Ellsmore told Healthcare IT News Australia.
“And a lot of testing would probably need to go into it to ensure collateral damage was minimised, but I don’t think anyone in the industry would suggest such an attack was not possible.”
In 2007, the then US vice-president Dick Cheney had his ICD modified to prevent ‘death by hacking’.
“It seemed to me to be a bad idea for the vice-president to have a device that maybe somebody on a rope line or in the next hotel room or downstairs might be able to get into, hack into,” Cheney’s cardiologist Jonathan Reiner told CBS 60 Minutes in 2013.
Cisco’s global healthcare cybersecurity expert said while murder by medical device may seem like a far-fetched Hollywood-esque scenario right now, it’s not completely outside of the realm of possibility
“Many thought leaders in the healthcare security space have been pushing for greater governance of medical devices as more and more security vulnerabilities and back doors to these devices have been discovered,” Staynings wrote yesterday.
“Many hospital systems have in excess of 350,000 medical devices, before you even start to count the implantable ones that leave with patients. Most of these devices were never designed with security in mind, and many have multiple ways in which they can be compromised by a hacker.”
Any medical device connected to a network, including MRI machines, insulin pumps and electric wheelchairs, can pose a cybersecurity risk.
In Australia in 2016 about 11375 pacemakers and 3500 ICDs were implanted.
The Therapeutic Goods Administration said it would “determine what, if any, action is required in Australia and will take into account the conclusions from the FDA investigations".