The pacemakers in question were manufactured by Abbott Laboratories. The devices are all radio-controlled, which means a hacker could potentially access the network that the pacemakers interface with to change their settings or even stop them entirely. That could prove fatal.
Yes, hackers can now literally stop your robot heart with their smartphone. Yes, we are living in a cyberpunk dystopia.
"As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities," read the FDA statement accompanying the recall.
There have been "no known reports of patient harm related to the cybersecurity vulnerabilities," the FDA added.
"The pacemaker devices to which this update applies include the RF telemetry versions of the following devices in the US: Accent SR RF™, Accent MRI™, Assurity™, Assurity MRI™, Accent DR RF™, Anthem RF™, Allure RF™, Allure Quadra RF™, and Quadra Allure MP RF™," read the St. Jude Medical website. St. Jude has been owned by Abbott Laboratories since January 2017.
"As we've said before, Abbott is resolving all old St. Jude Medical issues," they added. "These planned updates further strengthen the security and device management tools for our connected cardiac rhythm management devices. The cybersecurity landscape is always changing, which is why we're working across the healthcare sector to proactively address issues that affect all connected technologies."
Abbott did not use the term 'recall,' preferring instead "firmware update." They intend to install a cybersecurity patch that will close this vulnerability. Those with one of the affected pacemakers already installed in their chests won't need them replaced: they just need to go to the hospital for a three-minute firmware update.
In 2016, research group Muddy Waters wrote that St. Jude pacemakers might be vulnerable to hacking, calling the medical device company's "apparent lack of device security is egregious, and in our view, likely a product of years of neglect."
In May 2017, medical device security consultancy WhiteScope extended that warning to the other three major manufacturers of pacemakers.
"The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users," the federal agency wrote. "However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery."