Pacemaker Cybersecurity: Local Experience with a Firmware Upgrade
In August 2016, Muddy Waters LLC released a short-sell report outlining potential cybersecurity vulnerabilities in several St. Jude Medical (now Abbott) pacemaker models following a demonstration of a "crash attack" and a "battery drain attack" by vulnerability research firm MedSec.1 The motivation behind the release of this report does not appear to have been focused on patient safety; rather than inform Abbott or the US Food and Drug Administration (FDA) directly, the information was released to the public sector.2 This event was followed by a safety communication issued by the FDA in January of 2017 describing the vulnerabilities and informing the public of a software patch.3 Shortly after, the FDA issued a warning letter to Abbott in April of 2017. In response to these events, Abbott released a firmware upgrade with enhanced cybersecurity. Installation of this firmware upgrade is non-invasive and takes a few minutes to complete. During the installation procedure the pacemaker may temporarily change its pacing mode, leaving open the possibility that patients may become symptomatic during the upgrade.4
- Received April 1, 2018.
- Accepted May 8, 2018.