FDA confirms: Hacking a pacemaker only requires commercially available equipment

By: Giselle C. Matlis, Research Assistant

On August 29, 2017 the FDA published a Safety Communication, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers , where they announced that they have reviewed information concerning potential cybersecurity vulnerabilities associated with implantable cardiac pacemakers.cyber security copy

In its Safety Communication, FDA confirmed that if exploited, these vulnerabilities could allow an unauthorized user with commercially available equipment to access a patient’s device and could be used to modify programming commands to the implanted pacemaker.  This could result in patient harm from rapid battery depletion or administration of inappropriate pacing. At this point, there have been no known patient harm, however, the FDA has approved a firmware update that addresses these cybersecurity vulnerabilities and reduces the risk of exploitation and subsequent patient harm.

In fact, former Vice President Dick Cheney discussed his fears that terrorists could hack into his pacemaker, a fear he saw come to life while watching an episode of “Homeland.”Indeed, when doctors implanted Cheney’s pacemaker in 2007, they disabled the wireless feature out of fear that someone could manipulate it and disrupt his heartbeat.

The FDA has been warning about cybersecurity on medical devices for over a decade.  As Eric Luyer stated in his March 2017 article “the time to implement a proactive, comprehensive risk management program to eliminate cybersecurity threats is now”.

Cybersecurity of connected medical devices must be a key step in the design process.  Medical Device manufacturers must be proactive instead of reactive to cybersecurity concerns when developing new products.

Scroll to Top