WARNING: PACEMAKERS AT RISK
Talk about painful software updates. An estimated 465,000 people in the US are getting notices that they should update the firmware that runs their life-sustaining pacemakers or risk falling victim to potentially fatal hacks.
Cardiac pacemakers are small devices that are implanted in a patient’s upper chest to correct abnormal or irregular heart rhythms. Pacemakers are generally outfitted with small radio-frequency equipment so the devices can be maintained remotely. That way, new surgeries aren’t required after they’re implanted. Like many wireless devices, pacemakers from Abbott Laboratories contain critical flaws that allow hijackers within radio range to seize control while the pacemakers are running.
“If there were a successful attack, an unauthorized individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability, and those unauthorized commands could modify device settings (e.g., stop pacing) or impact device functionality,” Abbott representatives wrote in a letter to doctors.
The update will require patients to visit a clinic where doctors will put the pacemakers in backup mode while the firmware is being patched. The Abbott letter said that, for certain patients, the update should be performed “in a facility where temporary pacing and pacemaker generator change are readily available, due to the very small estimated risk of firmware update malfunction.”
The FDA said 465,000 pacemakers in the US alone are affected. The number of pacemakers in other countries wasn’t immediately available.
Reports of potentially life-threatening vulnerabilities in electronic pacemakers, insulin pumps, and other medical devices have steadily increased over the past decade. Many patients, doctors, and security experts downplay the threat such weaknesses pose, in large part because attackers must be within 50 feet of a patient.
Other security experts, however, point to the growing scourge of ransomware, which threatens victims with sometimes catastrophic data loss unless they pay hefty fees to obtain decryption keys that unlock their encrypted files.
At the moment, using passwords or similar authentication methods to ensure only authorized people can take remote control of medical devices is problematic. One complication: during medical emergencies, doctors often require immediate access to devices. If a patient is unable to reveal the credentials and hospital staff can’t immediately contact the patient’s doctor, the security could delay urgent treatment.