mHealth Hacking Threat Prompts FDA to Issue Pacemaker Recall

August 31, 2017 - The U.S. Food and Drug Administration is issuing recalls for roughly 500,000 implantable pacemakers, saying the mHealth devices are susceptible to hacking.

In an Aug. 29 directive, the FDA is urging anyone with pacemakers developed by Abbott (formerly St. Jude Medical) to consult their healthcare providers about a software update. The agency said about 465,000 radio frequency-enabled Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure devices may be in danger.

“Many medical devices - including St. Jude Medical's implantable cardiac pacemakers - contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits,” the FDA announced. “As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment,” the agency added. “This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

To address the vulnerability, St. Jude created an FDA-approved firmware update for all RF-enabled pacemakers, including cardiac resynchronization pacemakers. Patients with those pacemakers are asked to visit their provider, who can download the update in about three minutes – during which time the pacemaker operates on backup power.

Federal officials have warned of increased risks to mHealth devices since 2012, when the Showtime TV series Homeland featured a storyline in which a fictional vice president’s pacemaker was hacked by terrorists. The following year, the FDA issued its first warning, and has issued several more since.

Last October, Johnson & Johnson warned users of its Animus OneTouch Ping insulin pump that the device could be reprogrammed to deliver a potentially fatal dose of insulin. It was the first known alert issued by an mHealth company to its customers.

"The probability of unauthorized access to the OneTouch Ping system is extremely low," the company said in letters sent to doctors and roughly 114,000 patients in the U.S. and Canada. "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network."

In 2014, the Department of Homeland Security admitted that it was investigating potential vulnerabilities in about two dozen devices, and the FDA issued new guidance for device developers outlining what security features they should include before applying to the FDA for approval.

St Jude Medical devices came under scrutiny in early 2016, when an investment firm disclosed its concerns about security flaws in the company’s pacemakers and defibrillators.

Last December, the FDA issued its final guidance on protecting mHealth devices from hackers, in which it called on the mHealth community to build cybersecurity into their mobile health products.

“In today’s world of medical devices that are connected to a hospital’s network or even a patient’s own Internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device’s performance and functionality,” Suzanne B. Schwartz, MD, MBA, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, said in a blog post.

“The best way to combat these threats is for manufacturers to consider cybersecurity throughout the total product lifecycle of a device,” she wrote. “In other words, manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.”