Thirty years ago, no one would have thought of this scenario.
Hacking into a pacemaker to cause harm.
Abbott Laboratories release a software path (firmware update) in late August to reduce the risk that someone with malicious intent could gain unauthorized access to a patient’s pacemaker. The update was issued after an outside security firm learned of the devices’ vulnerabilities.
Sounds like a good idea.
Until it’s not.
Abbott stated the update – administered in an office or hospital – carries a slight risk of the pacemaker malfunctioning. The FDA has received 12 reports of the pacemaker malfunctioning during the update. Several of the reports noted the device went into backup pacing mode, and in some cases, the update was not successfully completed. In backup mode, the device is in a fixed default rhythm rather than the custom rhythm set for that patient.
To be clear, no patient to date has been reported as injured by the update.
The FDA has not mandated the software be updated. But the FDA has also cautioned against doctors assuming that the risk of hacking is so low that the update isn’t worth it.
A Hartford, Connecticut electrophysiologist, Steven Zweibel, stated: “If there’s a patient dependent on the device and it loses functionality because of a firmware update, you now take this patient who was doing just fine, who had a one-in-a-billion chance of having their device hacked, now you’ve done some harm to them.”
Cardiologists at Cornell Medical Center concluded the risk/benefit ratio was not optimal for the software update. So, they are not recommending the update.
The Abbott pacemakers are in close to half a million US patients.
In the book “Heart, co-authored by Vice president Dick Cheney with his doctor, his team disabled the wireless feature to prevent hacking.
The underlying conundrum is doctors have less experience assessing cybersecurity risks than traditional medical risks. Is there really a standard of care for determining whether the risk of updating firmware is lower than the long- term risk of hacking by a malicious individual? Also, whatever the answer today, that might change.
Imagine someone getting an email that their pacemaker is being held hostage unless ransom is paid in Bitcoins. And what if Abbott’s database of patients was hacked? And what if the ransomware didn’t even depend upon having access to the pacemaker – just enough information to scare a patient to part with a few hundred bucks because the hacked database suggested the patient’s pacemaker had an older version of the firmware.
Now imagine the scared patient has a heart attack. What do you think? Share your comments below.
The problem here is that its already been done.
I hadn’t heard about this, but it’s a fascinating idea. Perhaps Kim will need a pacemaker….
Anyway, this is obviously the kind of thing that the FDA needs to issue specific guidance about. Since they make yes/no decisions about whether to approve devices and what kind of aftermarket surveillance they will need, it only seems fair to hold them responsible for making the call about whether the devices should be modified.
Specifically: if Abbott has identified what they consider to be a ~potential~ problem, then since the FDA is regulatory, they owe the industry that opinion so that if a problem occurs, there are at least guidelines to have followed. Plaintiff’s attorneys won’t like this line of reasoning since they aren’t likely to be able to prevail in a lawsuit against the FDA, but hey–they need to step up to the plate and make a recommendation, even if it’s not a binding one.
The FDA has taken other interesting steps in the past based solely on possibility: they removed all but one colchicine formulation from the market for heaven-knows-what reason and they removed urokinase from the market for a time–before tPA was around–because there was a ~possibility~ that it might have been contaminated with a hepatitis virus. No damages had occurred from either drug so far, but the actions happened anyway.
I fail to see why this is any different.