
Low-level hackers could easily gain access to remotely operated implantable cardiac devices, warns the Food and Drug Administration.
FDA officials warn about the implantable cardiac devices’ vulnerability to cyber attacks. According to the warning issued by the FDA, defibrillators and pacemakers, along with multiple other devices manufactured by St. Jude Medical, can be easily accessed by low-level hackers. An update was issued by the Minnesota-based medical device company on Monday, January 9th.
Several confirmed vulnerabilities refer to the hackers’ ability to remotely access the medical devices and change the heart rate, drain the battery, or administer shocks. Fortunately, authorities did not report any incidents related to these vulnerabilities, said FDA officials.
The company’s implantable cardiac devices are placed in the upper chest area, under the skin, and work by regulating the heart’s rhythm by administering electrical shocks through insulated wires that go into the heart’s muscle. These devices come with a transmitter, more precisely the [email protected], that sends data to the patient’s house where it is installed to their physician via Merlin.net Patient Care Network.
St. Jude Medical acknowledged the vulnerabilities and consequently issued an update to address the issue. Furthermore, the company also intends to create a special division that will monitor the cyber security of its implantable cardiac devices.
However, it took almost four months for the company to finally admit its shortcomings. Last year, a group of experts at MedSec, a cyber security company, published a paper on the threats St. Jude Medical devices are exposed to, especially defibrillators and pacemakers. However, according to a MedSec expert, the manufacturer did not take immediate action to address the issue properly. Even more, the experts say that St. Jude Medical refuted their claims and even sued the cyber security company.
“The allegations are absolutely untrue”, said CTO Phil Edeling.
At the time, he argued that the company had its own cybersecurity measures set in place, claiming the company’s engineers were closely working with external experts and conducting security assessments of its products. In present, however, St. Jude Medical refuses to comment on the ongoing litigation.
Furthermore, external cyber security companies say the update St. Jude is planning to roll out sometime this year does not fully address the issue, still leaving the devices open to cyber attacks. Ultimately, experts claim that if they hadn’t gone public, St. Jude Medical most likely would never have remediated the vulnerabilities.
Image Source: Pixabay