The US FDA (Food and Drug Administration) has issued a safety notice warning the public about dangerous IoT pacemakers that can get hacked and kill patients.
FDA Warns of Dangerous IoT Pacemakers That Can Kill Patients
The United States Food and Drug Administration (FDA) has published a notice that warns that a lot of pacemakers are vulnerable to hacking attacks. If compromised the criminals can potentially kill the patients.
The FDA is aware of transmitters bearing the Merlin@home that are manufactured by St. Jude Medical which contain security exploits. Criminals can send arbitrary commands to the device including shock blasts to the patients. This is due to the fact that they use a wireless RF Signal to connect to the home monitors or the hospital’s medical systems. The IoT pacemakers transmit data about the cardiac activity and upload them to the Merlin.net Patient Care Network from where it can also be viewed.
Fortunately no attacks have been reported and a security fix has been issued. The patch has been available since yesterday (January 9) and it is automatically applied to any transmitters that are connected to the Merlin.net patient network.
Here is an excerpt of the security warning:
Implantable Cardiac Devices and Merlin@home Transmitter by St. Jude Medical: FDA Safety Communication – Cybersecurity Vulnerabilities Identified
[Posted 01/09/2017] AUDIENCE: Cardiology, Surgery, Family Practice, Patient
ISSUE: The FDA is providing information and recommendations regarding St. Jude Medical’s radio frequency (RF)-enabled implantable cardiac devices and Merlin@home Transmitter to reduce the risk of patient harm due to cybersecurity vulnerabilities. The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.
There have been no reports of patient harm related to these cybersecurity vulnerabilities.
To improve patient safety, St. Jude Medical has developed and validated a software patch for the Merlin@home Transmitter that addresses and reduces the risk of specific cybersecurity vulnerabilities. The patch, which will be available beginning January 9, 2017, will be applied automatically to the Merlin@home Transmitter. Patients and patient caregivers only need to make sure their Merlin@home Transmitter remains plugged in and connected to the Merlin.net network to receive the patch. The FDA has reviewed St. Jude Medical’s software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm. The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.
The FDA will continue to assess new information concerning the cybersecurity of St. Jude Medical’s implantable cardiac devices and the Merlin@home Transmitter, and will keep the public informed if the FDA’s recommendations change. The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.The FDA will continue its work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device’s total product lifecycle. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.