On August 28, 2017, the Department of Homeland Security’s Industrial Control systems Cyber Emergency Response (ICS-CERT) team released a safety notice regarding Abbott Laboratories (formerly St. Jude Medical) pacemakers manufactured before August 28, 2017. The affected pacemakers, which include include Accent/Anthem, Accent MRI, Assurity/Allure and Assurity MRI, require a firmware update to address vulnerabilities.
ICS-CERT stated:“Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.” Fortunately, a hacker must be within inches of the device/patient in order to exploit the firmware vulnerability. Unfortunately, if the vulnerability is exploited, a patient could die. Patients with one of the affected devices should visit their physician and ask whether their device needs a firmware update.
Healthcare security research company MedSec, who played a role in exposing the risk of Abbott’s pacemakers, adds: “For years this company has continued to put patients at risk by profiting from the sale of devices and a device eco-system which has little to no built-in security.”
The scope of cyber vulnerabilities facing the healthcare industry is increasing in fearsome ways. Providers should maintain an inventory of all medical devices and update software or firmware as prescribed by the vendor or manufacturer. Review your contracts to include language that requires timely provider notification of software and firmware updates.