Pacemaker
A pacemaker is shown in this image taken in Potsdam, Germany, Feb. 26, 2017. Reuters/Arnd Wiegmann

Recall of more than 500,000 pacemakers by the Food and Drug Administration reminded the users Tuesday about the security risks linked to the ever-increasing dependence on smart medical devices.

The FDA reviewed the potential cybersecurity in the radio frequency enabled pacemakers manufactured by St. Jude Medical, and observed, “these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing."

Meanwhile, the manufacturer is now issuing a firmware update to resolve the vulnerability. The equipment costs between $15 to $3000, according to tech news website Ars Technica.

A study conducted by the researchers from medical device security consultancy WhiteScope highlights the pacemakers manufactured by leading companies in the United States can have as many as 8,000 vulnerabilities. "Any pacemaker programmer can reprogram any pacemaker from the same manufacturer. This shows one of the areas where patient care influenced cyber security posture," it states.

The research titled, “Understanding Pacemakers Systems Security,” was released in May. It underlines that lack of security parameters, such as a physician’s consent to authenticate a pacemaker, constitute the biggest risk to a patient. Not just that, most pacemakers are equipped with removable files in unencrypted file systems that make the patients even more vulnerable.

“The findings reveal that the inherent architecture and implementation interdependencies are susceptible to security risks that have the potential to impact the overall confidentiality, integrity, and availability of the ecosystem. The findings are relatively consistent across the different vendors, highlighting the need for all vendors to perform an in-depth and holistic evaluation of implemented security controls,” the study said.

Pacemaker hacking reminds of the T.V. series Homeland but the risk is real and can pose threat to patients' lives. A hacker could actually use ransomware to ask for ransom in exchange for sparing the patient's life.

Cyber security has not been among the prime concerns of the medical device manufacturers probably, and this explains why many smart devices — that use technologies such as Wi-Fi connectivity and radio frequency — are at risk. Companies such as medical device manufacturer Abbott are selling high-end medical devices such as pacemakers, but the requisite cyber security protocols are still not in place. Ironically, cyber security measures are being followed for smartphones, but life-saving devices like pacemakers are still vulnerable to hacking.

With multiple vendors in the fray, the onus is on the FDA to come out with a set of security guidelines to ensure the safety of patients using the smart medical devices. The agency needs to come out with these guidelines in a timely manner. It can also assess the performance of different devices in the market to minimize the chances of the devices being hacked.