Pacemakers Can Be Hacked, Manufacturer Confirms

It isn't just a TV trope. Twenty years ago, the FDA probably didn't dream it would ever have to address this sort of thing.

Today the US Food and Drug Administration (FDA) and St.Jude’s Medical issued a patch to the software of its [email protected] Transmitter. The announcement confirmed that in this case, fact could be was stranger than fiction—or at least equally nefarious.

“The FDA has reviewed information concerning potential cyber security vulnerabilities associated with St. Jude Medical’s [email protected] Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician to remotely access a patient’s RF-enabled implanted cardiac device,” the FDA wrote in an advisory today.

In the words of the FDA, such cyber-intrusion “could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.” The announcement made it clear that this has never happened, as far as the company and the FDA know.

The patch is being automatically sent to the device system today, the FDA said. The agency said many medical devices contain configurable embedded computer systems that can be vulnerable to intrusion.

“As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cyber security vulnerabilities, some of which could affect how a medical device operates,” the FDA said.

Physicians are advised as follows:

  • Continue to conduct in-office follow-up, per normal routine, with patients who have an implantable cardiac device that is monitored using the [email protected] Transmitter.
  • Remind patients to keep their [email protected] Transmitter connected as this will ensure that patients' devices receive the necessary patches and updates.
  • Contact St. Jude Medical's [email protected] customer service at 1-877-My-Merlin, or visit www.sjm.com/Merlin disclaimer icon for answers to questions and additional information regarding St. Jude Medical's implantable cardiac devices, or the [email protected] Transmitter.

The FDA offers the following advice for patients:

  • Follow the labeling instructions provided with your [email protected] Transmitter. Keeping your monitor connected as directed will ensure your monitor receives necessary updates and patches. Keep in mind that although all connected medical devices, including this one, carry certain risks, the FDA has determined that the benefits to patients from continued use of the device outweigh the risks.
  • Consult with your physician(s) for routine care and follow-up. Your ongoing medical management should be individualized based on your medical history and clinical condition.

The FDA also directs consumers to St. Jude's Medical's website and service hotline, advising patients to "seek immediate medical attention if you have symptoms of lightheadedness, dizziness, loss of consciousness, chest pain, or severe shortness of breath."

The alert from the FDA is on its MedWatch site.