Wait – pacemakers can be hacked?

In 2012, at the BreakPoint security conference in Melbourne, security expert and hacker Barnaby Jack showed the world that pacemakers could be hacked. Jack discovered that the wireless transmitters used to program pacemakers could be configured to send an 830-volt shock to devices from up to 50 feet away.

On August 29th 2017, the FDA issued a voluntary recall of 465,000 Abbott pacemakers.

There have been no reported cases of injury due to vulnerabilities in Abbott pacemakers, however the impact of exploitation is very high – potentially fatal.

Why are the pacemakers being recalled?

Critical vulnerabilities have been identified in the firmware of Abbott – formerly St. Jude Medical – implantable cardiac pacemakers. If these vulnerabilities are exploited by a malicious actor, pacemakers can be remotely accessed and controlled. This would allow hackers to slow, stop, or drain the battery life of affected pacemakers.

Security vulnerabilities in implantable medical devices have been a cause of concern for several years; even before Barnaby Jack was able to showcase vulnerabilities in pacemakers in 2012. With the onset of recent ransomware cases, the potential intersection of ransomware and medical implants worries professionals in many different fields.


How is the firmware update being distributed?

The FDA is not recommending that pacemaker devices be removed and replaced. Instead, patients who possess an affected pacemaker are strongly encouraged to visit their health care provider in-person in order to receive a firmware update. This process will take approximately three minutes. The affected versions of the Abbott pacemakers are as follows:


Accent MRI™ Anthem RF™ Allure RF™
Accent SR RF™ Assurity™ Allure Quadra RF™
Accent DR RF™ Assurity MRI™ Quadra Allure MP RF™


Impact for the Healthcare Industry

Cybersecurity attacks are a difficult problem to tackle in many different industries. However, the healthcare industry in particular is required to face several unique issues. From hackers stealing medical data (to sell on the Deep Web) to the potential of compromised life support systems, medical facilities encounter difficult challenges regularly.

Implantable medical devices may continue to see an influx in vulnerability discovery. However, the attention and recognition of said vulnerabilities may ultimately push the healthcare industry into a more security-aware stance.


Contact LMG Security if you have any questions about cybersecurity vulnerabilities in the healthcare industry, compliance standards, or HIPAA. [email protected].