Abbott Addresses Life-Threatening Flaw In a Half-Million Pacemakers

lod123 shares a report from Threatpost: Nearly a half-million pacemakers are up for a firmware update to address potentially life-threatening vulnerabilities. Abbott (formerly St. Jude Medical) has released another upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices -- a.k.a., pacemakers. About 465,000 patients are affected. The update will strengthen the devices' protection against unauthorized access, as the provider said in a statement on its website: "It is intended to prevent anyone other than your doctor from changing your device settings." The update comes after 2016 claims by researchers that the then-St. Jude's cardiac implant ecosystem was rife with cybersecurity flaws that could result in "catastrophic results."

Let's $2000 for the doctor to install it + softwar

[Joe_Dragon]

Let's $2000 for the doctor to install it + software fees + office fees.

Odds for more flaws?

What are the odds that this update introduces even more flaws?

One more thing

That should require a physical connection.

Re:One more thing

[sjames]

I would think near field is a better choice. Although minor, would you want to have surgery every time there's an update?

Re:One more thing

I would think near field is a better choice. Although minor, would you want to have surgery every time there's an update?

Or alternatively,you got a USB port in your chest.

Re:One more thing

This is easy. Allow wireless updates as long as the update matches your encrypted signature. That means the private key can literally be used to kill people. (Unlike keys used in government and military. Oh wait, same risk.) Better keep those keys safe.

Re:One more thing

[sjames]

It makes a lot more sense to use near field, That way, you can at the same time make sure an ER doctor can readily access your device in an emergency but your angry at the world neighbor can't kill you from his recliner.

Re: One more thing

No Bluetooth or USB drivers existed for MOSTEK 6502 processors at the time the pacemakers were manufactured.

Re:Let's $2000 for the doctor to install it + soft

Grammar much?

Re:Let's $2000 for the doctor to install it + soft

[Joe_Dragon]

Our 1989 epic billing system running mumps is very limmted

bah!

[ruddk]

Not worried, it has been working flawl fT%ggg

Re:Let's $2000 for the doctor to install it + soft

[LagFlag]

Put your money where your mouth is... how many RVUs will the physician earn doing this procedure? My guess is 2-3 at most, if he/she is there in person. At $70 per RVU, we're looking at about $200. This includes overhead of maintaining an office, nursing staff, clerical staff, etc, if he/she is one of the increasingly rare independent practice physicians

Most physicians I know spend a lot of time doing activities for which they earn nothing... especially email and phone calls,

Do Lighning Strikes affect these devices?

[Streetlight]

An earlier /. post noted that apparently lightning strikes can cause brain implants to stop working and I asked there if they also affected heart pacemakers to stop working. What about these devices?

Rewarding Spammers

[Luthair]

Is Slashdot really going to continue to reward blatent spammers like lod123 and threatpost. Another account they used previously was msm1267

low security in medical

I write software for medical devices. For years, security was an after thought. It was only a couple years ago that the FDA gave a guidance doc on security. Not surprising that pace making had security holes.

Re:low security in medical

How open is your industry to the idea of adopting an open-source model for developing the software that controls these devices? I don't think the companies who make these devices would stand to lose much money in software licencing fees, considering you still need very specialized hardware to run the software on.

You'd have more eyes looking for flaws and vulnerabilities, plus it would do wonders for restoring the public's trust in medical tech. With all the scandals that have happened over the years, I think the medical software industry needs a bit of a PR boost. A lot of us still haven't forgotten about Therac-25.

Re:Let's $2000 for the doctor to install it + soft

[MMC+Monster]

I am a cardiologist.

This is more of a pain than it's worth. Calling patients to tell them they have to come in early, answering questions over phone or email regarding it, wasted time in the over-filled pacer clinics to squeeze these patients in.

I didn't look into the wRVU amount, but I'd be shocked if it was as high as 2 wRVUs for this.

(I'm an employed doc. I make enough wRVUs that I max out my bonus. I care more about patient health and satisfaction than a couple bucks.)

Recall

Why don't they just recall those devices?

Re: Let's $2000 for the doctor to install it + sof

[LagFlag]

I only wished to establish an upper bound, based on CPT coding guidelines published by pacemaker/AICD companies.

As my Google and Facebook neighbors buy million dollar homes, I grow tired of insinuations that physicians are over-compensated.

physical access

Dont you have to have physical access to the patient?
So they are afraid hackers will break into your house, place the communication pod on your chest, and screw with your settings?