The U.S. Food and Drug Administration (FDA) recently approved a recall of approximately 465,000 RF-enabled pacemakers made by Abbott (formerly St. Jude) for a firmware update “to reduce the risk of patient harm due to potential exploitation of cyber security vulnerabilities.”
The FDA’s analysis determined that vulnerabilities in the St. Jude pacemakers could allow an unauthorized user to access the device remotely using commercially available equipment, and cause “patient harm from rapid battery depletion or administration of inappropriate pacing.”
“After installing this update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so,” the FDA stated.
The update, which takes approximately three minutes to complete, has to be done either at a doctor’s office or as part of an in-home visit by a healthcare provider.
The update has a 0.003 percent chance of resulting in complete loss of device functionality, according to the FDA.
Managing Authorized Access
“All industries need to be constantly vigilant against unauthorized access,” Abbott executive vice president Robert Ford said in a statement.
“This isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems,” Ford added.
Dan Lyon, principal consultant at Synopsys, told eSecurity Planet by email that the update demonstrates many of the inherent difficulties for connected medical devices. “Among those difficulties are the tension between safety and security, the ability of patients and doctors to evaluate security risk, and the long product release cycles required for medical devices,” he said.
The update fixes a hardcoded unlock code that’s in place to enable emergency care, Lyon said, showcasing the tension between safety and security for implanted devices. While medical devices need to support delivery of emergency care, the same access that supports emergency care can also be exploited by bad actors.
Security Risk Management
“Medical products fundamentally provide benefits to patients while also introducing risks,” Lyon added.
Think of a surgical procedure that brings a risk of infection that’s been quantified through scientific studies, Lyon said — most people are able to understand the idea of, say, a 0.1 percent risk of infection, and make an informed decision.
“However, that kind of data isn’t present in security vulnerabilities, and because of that the risk-benefit discussion between patients and their doctors is not based on empirical evidence, and an alternate means of communicating the risks needs to be used,” Lyon said.
“Medical device security is fundamentally about risk identification and reduction,” Lyon added. “Manufacturers need to be incorporating security risk management processes throughout their entire development lifecycle in a similar manner to how they have incorporated safety risk management. This means performing activities such as architectural risk analysis, threat modeling, automated code reviews, and security-focused testing activities.”