Patients using one of several types of implantable radio frequency-enabled pacemakers manufactured by St. Jude Medical will have to visit their healthcare provider to receive a firmware update that fixes several cybersecurity issues.
The reason why the update can’t be pushed over-the-air through their Merlin@home Transmitter unit is the fact that the update could, in a very small number of cases, lead to a complete loss of the pacemaker’s functionality, the loss of currently programmed device settings, or a reloading of a previous firmware version.
The affected pacemaker and CRT-P devices are those sold by Abbott Laboratories (formerly St. Jude Medical) under the following names: Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure.
All in all, in the US, some 465,000 devices require the update. It is unknown how many devices have been implanted in patients outside the US.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the US Food and Drug Administration noted.
“This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing. After installing this update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so.”
The Merlin Programmer (operated by healthcare workers) and Merlin@home Transmitter (patients’ home monitor) will provide such authorization.
In addition to this, for some devices (Accent and Anthem), the updated pacemaker firmware will also prevent unencrypted transmission of patient information.
Update instructions for physicians
Abbot Laboratories has provided instructions to physicians on how the update should be performed, noting that the new device firmware will be loaded in the Merlin Programmer along with new programmer software, and that the download of the update to the pacemakers will take approximately three minutes.
“There have been no reports of unauthorized access to any patient’s implanted device, and according to an advisory issued by the US Department of Homeland Security, compromising the security of these devices would require a highly complex set of circumstances,” the company made sure to note.
This is not the first time that Abbot/St. Jude Medical had to push out security updates for their pacemakers. In January, a security patch was provided, but patients didn’t have to come in for it to be implemented. Instead, they could do it via their Merlin@home Transmitter units.