Implantable Cardiac Devices Could Be Vulnerable To Hackers, FDA Warns

The U.S. Food and Drug Administration warned on Monday that pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients' lives at risk, as hackers could remotely access the devices and change the heart rate, administer shocks, or quickly deplete the battery. Thankfully, St. Jude released a new software patch on the same day as the FDA warning to address these vulnerabilities. Motherboard reports: St. Jude Medical's implantable cardiac devices are put under the skin, in the upper chest area, and have insulated wires that go into the heart to help it beat properly, if it's too slow or too fast. They work together with the Merlin@home Transmitter, located in the patient's house, which sends the patient's data to their physician using the Merlin.net Patient Care Network. Hackers could have exploited the transmitter, the manufacturer confirmed. "[It] could (...) be used to modify programming commands to the implanted device," the FDA safety communication reads. In an emailed response to Motherboard, a St. Jude Medical representative noted that the company "has taken numerous measures to protect the security and safety of our devices," including the new patch, and the creation of a "cyber security medical advisory board." The company plans to implement additional updates in 2017, the email said. This warning comes a few days after Abbott Laboratories acquired St. Jude Medical, and four months after a group of experts at Miami-based cybersecurity company MedSec Holding published a paper explaining several vulnerabilities they found in St. Jude Medical's pacemakers and defibrillators. They made the announcement at the end of August 2016, together with investment house Muddy Waters Capital.

The FDA is part of the problem.

[msauve]

If the FDA weren't so strict about certifying every possible change to a medical device, this would be less of an issue. Because of all the hoops and red tape manufacturers have to go through anytime they make a change, the FDA rules/regulations provide a disincentive to make changes.

And, why is the FDA pointing a finger at device manufacturers, whey they themselves are responsible for device approval and should have identified these issues before giving that approval? Either they're responsible for ensuring that devices are safe, or they're not. They can't have it both ways.

Your government at work.

Re:The FDA is part of the problem.

[geekmux]

...And, why is the FDA pointing a finger at device manufacturers, whey they themselves are responsible for device approval and should have identified these issues before giving that approval?

Because the FDA does not maintain an elite army of Cyberhackers. That's why.

Either they're responsible for ensuring that devices are safe, or they're not. They can't have it both ways. Your government at work.

Divisions of the government that do maintain Cybersecurity divisions have been hacked, as well as the corporate sector. Even the most accelerated plan to approve changes may not be fast enough to keep up with potential threats and discovered vulnerabilities.

Perhaps the ultimate answer is to not tie every fucking thing to the damn cloud.

I know, I know. Fuck the inherent risks, because whoring out our digital lives is worth it every time.