Thirty years ago, no one would have thought of this scenario.
Hacking into a pacemaker to cause harm.
Abbott Laboratories release a software path (firmware update) in late August to reduce the risk that someone with malicious intent could gain unauthorized access to a patient’s pacemaker. The update was issued after an outside security firm learned of the devices’ vulnerabilities.
Sounds like a good idea.
Until it’s not.
Abbott stated the update – administered in an office or hospital – carries a slight risk of the pacemaker malfunctioning. The FDA has received 12 reports of the pacemaker malfunctioning during the update. Several of the reports noted the device went into backup pacing mode, and in some cases, the update was not successfully completed. In backup mode, the device is in a fixed default rhythm rather than the custom rhythm set for that patient.
To be clear, no patient to date has been reported as injured by the update.
The FDA has not mandated the software be updated. But the FDA has also cautioned against doctors assuming that the risk of hacking is so low that the update isn’t worth it.
A Hartford, Connecticut electrophysiologist, Steven Zweibel, stated: “If there’s a patient dependent on the device and it loses functionality because of a firmware update, you now take this patient who was doing just fine, who had a one-in-a-billion chance of having their device hacked, now you’ve done some harm to them.”
Cardiologists at Cornell Medical Center concluded the risk/benefit ratio was not optimal for the software update. So, they are not recommending the update.
The Abbott pacemakers are in close to half a million US patients.
In the book “Heart, co-authored by Vice president Dick Cheney with his doctor, his team disabled the wireless feature to prevent hacking.
The underlying conundrum is doctors have less experience assessing cybersecurity risks than traditional medical risks. Is there really a standard of care for determining whether the risk of updating firmware is lower than the long- term risk of hacking by a malicious individual? Also, whatever the answer today, that might change.
Imagine someone getting an email that their pacemaker is being held hostage unless ransom is paid in Bitcoins. And what if Abbott’s database of patients was hacked? And what if the ransomware didn’t even depend upon having access to the pacemaker – just enough information to scare a patient to part with a few hundred bucks because the hacked database suggested the patient’s pacemaker had an older version of the firmware.
Now imagine the scared patient has a heart attack. What do you think? Share your comments below.