The FDA, US Food and Drug Administration has recalled around 465,000 implantable cardioverter defibrillators (ICD) for firmware updates. ICD is a small device that is used to treat irregular heartbeats.
In a safety report by the FDA, issued on April 17, 2018 it says that the devices, designed and operated by St. Jude Medical, are susceptible to cyber-security breaches and are also at risk of having sudden battery loss.
The safety report claimed saying, “As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”
This vulnerability of St Jude medical ICD’s and its Merlin@home monitoring device to cyber-attack was raised by Medsec, analysts for health sector security. This analysis took place following a challenge from St Jude Medical (that was acquired by Abbott in 2017) and the susceptibility in these devices that were identified by Medsec, were confirmed by cyber security consultants Bishop Fox.
Carl Livitt of Bishop Fox told the Computer Business Review that, “Authentication backdoors are not good, especially in implantable cardiac devices that can be misused to kill people.”
Merlin@Home is a small receiver used by people who have implanted cardiac devices; it can be plugged in at home and is designed in a way to allow “remote care management of patients with implanted cardiac devices through scheduled transmissions and daily alert monitoring.”
Carl Livitt goes on to say, “Most of the vulnerabilities could be remediated by requiring a very close proximity ‘wake-up’ command to be issued to an implanted device prior to enabling long-range communications.’ This would require the physician to be in physical contact with the patient.”
The warning comes after the deal made recently between Microsoft and NHS to strengthen the cyber security defenses following an update on costly plans for security investment across the NHS.