When a cardiac pacemaker or defibrillator is implanted into a patient, thin, flexible wires called leads are attached to deliver electric shock from the pulse generator directly to the heart.
Those leads sometimes fail. Sometimes, they get infected. Other times, they’re recalled. Removal involves surgery – a complex, delicate procedure that risks damage to the heart tissue.
So what happens when the manufacturer of an internet-connected, radio frequency (RF)-enabled pacemaker finally, begrudgingly stops fighting and litigating over potentially life-threatening attacks and issues a firmware fix for its pacemakers?
Fortunately, it’s not open heart surgery, though it will entail an in-person trip to a healthcare provider’s office.
Abbott (formerly St. Jude Medical) fixed the software side of the security vulnerabilities in January. Now, on Monday, it got to the vulnerabilities in the devices themselves.
In a Dear Doctor letter, Abbott described the firmware update as a three-minute process, during which the pacemaker will operate in backup mode, pacing at 67 beats per minute.
Essential, life-sustaining features will remain available. At the completion of the update, the device will return to its pre-update settings.
Abbott said that with any firmware update, there’s always a (low) risk of an update glitch. Based on the company’s previous firmware update experience, installing the updated firmware could potentially result in the following malfunctions, with the tiny rates of occurrence that St. Jude Medical has previously observed:
- 0.161% chance of reloading of previous firmware version due to incomplete update
- 0.023% chance of loss of currently programmed device settings
- 0% (as in, none have been reported on other firmware upgrades) loss of diagnostic data
- 0.003% chance of complete loss of device functionality
That last one may seem like a vanishingly small potential, but it’s a dire one. Pacemaker failure has two outcomes, depending on how well the patient’s heart works: you get sick, or you die.
But fortunately, that tiny chance of pacemaker failure will likely be smaller still, given that both Abbott and the US Food and Drug Administration (FDA) say they’re not recommending prophylactic removal and replacement of affected devices.
Here’s the list of St. Jude’s/Abbott’s affected implantable cardiac pacemakers, including cardiac resynchronization therapy pacemaker (CRT-P) devices:
- Accent MRI
- Accent ST
We’re talking about a total of 465,000 implanted devices that are affected by the firmware flaws, which leave the devices vulnerable to tampering that could cause them to pace at potentially dangerous rates or fail by rapidly draining their batteries.
In January, St. Jude had announced security updates for its Merlin remote monitoring system, which is used with implantable pacemakers and defibrillator devices.
The fixes were designed to reduce what St. Jude claimed to be extremely low cyber-security risks.
At the time, the pacemaker company said it was unaware of any security incidents related to, nor any attacks explicitly targeting, its devices. The same was true as of this week: there have been no known security incidents.
Well, that’s a blessing. Still, that January software update addressed some, but not all, known cyber-security problems in the heart devices. The holes left in place by the incomplete fix were those in the firmware. They were deemed to be pretty serious: Matthew Green, an assistant professor at John Hopkins University, described the pacemaker vulnerability scenario as the fuel of nightmares: for one, weak authentication protocol left the devices open to commands sent via RF, from a distance, leaving no trace, by anybody who knows the protocol (including home devices).
After installing the update that Abbott made available on Tuesday, any device attempting to communicate with the implanted pacemaker would have to provide authorization – received from the Merlin Programmer and Merlin@home Transmitter – to do so.
Pacemakers manufactured from August 28 2017 will have this update pre-loaded in the device and won’t need the update.
Abbott and the FDA are recommending that doctors discuss the risks and benefits of the vulnerabilities and the firmware update with their patients at their next regularly scheduled visit. They’re saying that it’s important to consider factors such as each patient’s level of pacemaker dependence, the age of the device, and patient preference.
- For pacing-dependent patients, consider performing the firmware update in a facility where temporary pacing and pacemaker generator can be readily provided.
- Print or digitally store the programmed device settings and the diagnostic data in case of loss during the update.
- After the update, confirm that the device maintains its functionality, is not in backup mode, and that the programmed parameters have not changed.