Digitization at any cost? - Approximately 12,500 patients in Germany affected by IT security gaps in heart pacemakers.

Fri, 2017 / 09 / 22
The US Food and Drug Administration (FDA) recently warned of serious IT security gaps in pacemakers of the St. Jude Medical brand – about 500,000 American patients and 12,500 German patients are affected. However, the FDA and Abbott (who took over St. Jude Medical in 2016) advise against replacing the devices; an outpatient, non-invasive firmware update that includes a new software version with data encryption, an optimization of the operating system, and the ability to deactivate networking features is designed to close the vulnerabilities.

Heart of the problem of the radio-controlled pacemakers is an unsafe technical interface. The implants can be reached by radio in two ways. One of the radio interfaces works only over a distance of approximately 10 cm and is used in the hospital to reprogram the devices. The second interface is accessible over several meters. In this way, the implant can communicate with the so-called Merlin@home base station which relates to the Internet. The treating physicians can at any time inform themselves about the health of their patients.

This second (over several meters) connectable interface represents, according to experts, a massive security gap. Possible manipulations such as the change in pacemaker rhythm, a non-emergency-induced triggering of the defibrillator or the rapid discharge of the battery as a result of these manipulations would have a life-threatening effect on the patients.

According to the German Federal Institute for Drugs and Medical Devices (BfArM), no cases of IT-security-related manipulations of heart pacemakers from Abbott were known; nevertheless, this incident makes thoughtful and stimulates once more discussions about the security of data in times of ubiquitous digitization. It is becoming increasingly clear that companies need a comprehensive, well-founded and security-focused digital strategy, especially in the healthcare sector, where dealing with sensitive data is part of everyday business, and misuse for patients and providers of digital solutions has far-reaching consequences.

For further information, please note the following links:

https://www.aerzteblatt.de/nachrichten/78018/Schutz-vor-Hackerangriffen-Tausende-deutsche-Patienten-erhalten-Herzschrittmacher-Update

https://www.golem.de/news/hack-rueckrufaktion-fuer-500-000-unsichere-herzschrittmacher-1708-129786.html

https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm (FDA safety communication)

https://www.heise.de/security/meldung/Sicherheitsloch-im-Herzschrittmacher-3593932.html

 

 

 

 

 
to the top