It sounds like a horror science fiction plotline, but it’s happening. The Food and Drug Administration warned that certain cardiac devices are susceptible to online hacking.
The FDA’s statement said that pacemakers, defibrillators, and other heart devices produced by St. Jude Medical, a Minnesota-based medical device company, may have put patients at risk for cybersecurity concerns. While instances of hacking have not yet been reported, the possibility of tampering is high enough that the FDA is issuing warning for hacking threats.
“Many medical devices — including St. Jude Medical’s implantable cardiac devices — contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits,” the FDA said in a statement.
St. Jude’s devices are implanted in the skin and become connected to the heart via insulated wires. The device works with the Merlin@home Transmitter to sends a patient’s information to their doctor. The FDA warned that hackers can find a pathway to exploit the transmitter and “modify programming commands to the implanted device.”
While many medical devices are becoming interconnected via the internet and smartphones, the FDA said there’s an increased risk that someone could hack into a heart device to gain control. Someone could hack into your pacemaker and quite literally play with your heart and life by changing your heart rate, administering shocks, or even depleting the battery life.
The FDA expressed that it will continue to work with St. Jude as well as security researchers to find solutions for hacking vulnerabilities. St. Jude said that it would implement updates to its devices in 2017 to ensure patient safety.
In the interim, patients who currently use these transmitter devices are encouraged to continue a normal routine of checkups with their healthcare provider. The FDA has determined that “the benefits to patients from continued use of the device outweigh the risks.”