It isn't just a TV trope. Twenty years ago, the FDA probably didn't dream it would ever have to address this sort of thing.
Today the US Food and Drug Administration (FDA) and St.Jude’s Medical issued a patch to the software of its Merlin@home Transmitter. The announcement confirmed that in this case, fact could be was stranger than fiction—or at least equally nefarious.
“The FDA has reviewed information concerning potential cyber security vulnerabilities associated with St. Jude Medical’s Merline@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician to remotely access a patient’s RF-enabled implanted cardiac device,” the FDA wrote in an advisory today.
In the words of the FDA, such cyber-intrusion “could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.” The announcement made it clear that this has never happened, as far as the company and the FDA know.
The patch is being automatically sent to the device system today, the FDA said. The agency said many medical devices contain configurable embedded computer systems that can be vulnerable to intrusion.
“As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cyber security vulnerabilities, some of which could affect how a medical device operates,” the FDA said.
Physicians are advised as follows:
The FDA offers the following advice for patients:
The FDA also directs consumers to St. Jude's Medical's website and service hotline, advising patients to "seek immediate medical attention if you have symptoms of lightheadedness, dizziness, loss of consciousness, chest pain, or severe shortness of breath."
The alert from the FDA is on its MedWatch site.