Having discovered that pacemakers could be hacked, the US Food and Drug Administration (FDA) is recalling nearly half-a-million devices from St Jude Medical (now Abbotts). The vulnerable firmware covers any device sold before 28th August. This is the first time a fix has been available.
The FDA warning explained: "The FDA has reviewed information concerning potential cyber security vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorised user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment.
"This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing."
Cesare Garlati, Chief Security Strategist at the prpl Foundation, made the following comment: "With IoT, the main cause for concern is security. IoT has developed rapidly and is now being used in all facets of life, which is why improvements in security need to be made now, especially when human lives depend on the IoT medical devices for survival. Failure to do so will lead to catastrophic results.
"Healthcare organisations need to ensure that security requirements are being met in the technology used. To help manufactures and developers, the prpl Foundation has provided guidance on how to create a securer Internet of Things. This involves manufacturers to adopt a hardware-led approach that sees security embedded from the ground up. By following these steps, we can become more efficient, secure which will reduce the potential damage in the future."
Jackson Shaw, Senior Director of product management at One Identity: "I highly encourage our government to get on with debating and passing the IoT Cyber security Improvement Act of 2017. This legislation requires vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded passwords; and that vendors ensure the devices are tested for vulnerabilities before they ship. This, in my opinion, will be a good first step towards better IoT security for all of us.
"While this legislation only covers devices sold to the federal government, my hope is that we will see state governments, hospitals and others require compliance to the act. In the meantime, it’s important that we all remember that cyber security is all of our responsibilities – ask questions of your vendors regarding how they are handling vulnerability testing, cyber security and how they will respond to vulnerabilities when are discovered."
In order to get the update users will have to visit their doctor or cardiologist in person, despite the model being equipped to take updates and downloads over-the-air (OTA). This update requires the patient to be monitored while the pacemaker is in standby - users must be in a resting state equivalent to the pacemaker's 67 BPM. Even though each update should only take about three minutes, the 465,000 devices in use mean that this is a problem on a massive scale, requiring 23,500 hours to fix. The FDA promises that no one has, as yet, fallen prey to the vulnerability, nor are they likely to, but the risk is too big to ignore.