Skip to content
Naked Security Naked Security

Pacemaker gets firmware update – go and see your doctor

There's finally a firmware update for the 465,000 affected pacemakers to fix the potentially life-threatening flaws

When a cardiac pacemaker or defibrillator is implanted into a patient, thin, flexible wires called leads are attached to deliver electric shock from the pulse generator directly to the heart.

Those leads sometimes fail. Sometimes, they get infected. Other times, they’re recalled. Removal involves surgery – a complex, delicate procedure that risks damage to the heart tissue.

So what happens when the manufacturer of an internet-connected, radio frequency (RF)-enabled pacemaker finally, begrudgingly stops fighting and litigating over potentially life-threatening attacks and issues a firmware fix for its pacemakers?

Fortunately, it’s not open heart surgery, though it will entail an in-person trip to a healthcare provider’s office.

Abbott (formerly St. Jude Medical) fixed the software side of the security vulnerabilities in January. Now, on Monday, it got to the vulnerabilities in the devices themselves.

In a Dear Doctor letter, Abbott described the firmware update as a three-minute process, during which the pacemaker will operate in backup mode, pacing at 67 beats per minute.

Essential, life-sustaining features will remain available. At the completion of the update, the device will return to its pre-update settings.

Abbott said that with any firmware update, there’s always a (low) risk of an update glitch. Based on the company’s previous firmware update experience, installing the updated firmware could potentially result in the following malfunctions, with the tiny rates of occurrence that St. Jude Medical has previously observed:

  • 0.161% chance of reloading of previous firmware version due to incomplete update
  • 0.023% chance of loss of currently programmed device settings
  • 0% (as in, none have been reported on other firmware upgrades) loss of diagnostic data
  • 0.003% chance of complete loss of device functionality

That last one may seem like a vanishingly small potential, but it’s a dire one. Pacemaker failure has two outcomes, depending on how well the patient’s heart works: you get sick, or you die.

But fortunately, that tiny chance of pacemaker failure will likely be smaller still, given that both Abbott and the US Food and Drug Administration (FDA) say they’re not recommending prophylactic removal and replacement of affected devices.

Here’s the list of St. Jude’s/Abbott’s affected implantable cardiac pacemakers, including cardiac resynchronization therapy pacemaker (CRT-P) devices:

  • Accent
  • Anthem
  • Accent MRI
  • Accent ST
  • Assurity
  • Allure

We’re talking about a total of 465,000 implanted devices that are affected by the firmware flaws, which leave the devices vulnerable to tampering that could cause them to pace at potentially dangerous rates or fail by rapidly draining their batteries.

In January, St. Jude had announced security updates for its Merlin remote monitoring system, which is used with implantable pacemakers and defibrillator devices.

The fixes were designed to reduce what St. Jude claimed to be extremely low cyber-security risks.

At the time, the pacemaker company said it was unaware of any security incidents related to, nor any attacks explicitly targeting, its devices. The same was true as of this week: there have been no known security incidents.

Well, that’s a blessing. Still, that January software update addressed some, but not all, known cyber-security problems in the heart devices. The holes left in place by the incomplete fix were those in the firmware. They were deemed to be pretty serious: Matthew Green, an assistant professor at John Hopkins University, described the pacemaker vulnerability scenario as the fuel of nightmares: for one, weak authentication protocol left the devices open to commands sent via RF, from a distance, leaving no trace, by anybody who knows the protocol (including home devices).

After installing the update that Abbott made available on Tuesday, any device attempting to communicate with the implanted pacemaker would have to provide authorization – received from the Merlin Programmer and Merlin@home Transmitter – to do so.

Pacemakers manufactured from August 28 2017 will have this update pre-loaded in the device and won’t need the update.

Abbott and the FDA are recommending that doctors discuss the risks and benefits of the vulnerabilities and the firmware update with their patients at their next regularly scheduled visit. They’re saying that it’s important to consider factors such as each patient’s level of pacemaker dependence, the age of the device, and patient preference.

Their suggestions:

  • For pacing-dependent patients, consider performing the firmware update in a facility where temporary pacing and pacemaker generator can be readily provided.
  • Print or digitally store the programmed device settings and the diagnostic data in case of loss during the update.
  • After the update, confirm that the device maintains its functionality, is not in backup mode, and that the programmed parameters have not changed.


4 Comments

“0.003% chance of complete loss of device functionality
That last one may seem like a vanishingly small potential”

Not when you consider the fact that 0.003% of 465,000 is almost 1,500 people.

Wow. I would say “it’s about time”, but I worked for a medical device manufacturer for a while. While they were considered one of the best (even at security), the government imposes so many paperwork hurdles that it makes any kind of fixes difficult to implement.
I noted the list of potential issues with some mild interest. I would bet that there are a whole bunch more possibilities (or, more granulated ones), and that Abbott included a complete list somewhere.
We sometimes dreaded the paperwork and audit trails we had to keep. However, we knew that the end result of failing to do so would be that someone got sick or died. Failures happen, but when they do, those mountains of paperwork prove of inestimable value in determining the changes needed and getting them implemented.

Even if it is only 14 people (and that will probably only be in the U.S.) I would be one of them being pacing dependent. It is scary that they don’t really have any idea if security has been breached because, if it has, it leaves no trace. As Matthew Green says “the fuel of nightmares”.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?