Pacemaker patched... one year after critical flaws reported

The St. Jude Medical pacemaker flaws that an investor relied on to short the company’s stock has a new patch to address the issue.

Abbott Laboratories, which acquired St. Jude Medical in January, released a firmware update on Tuesday to boost protections against hackers and roll out a battery performance alert function. 

The update includes operating system patches, additional encryption, and a feature to disable network connectivity. 

As noted by Reuters, St. Jude last year recalled some of the 400,000 pacemakers last year after its own study found a risk of premature battery depletion. The recall applied to devices implanted in the US, Canada, and Australia.   

The US Food and Drug Administration said it had approved the new firmware update after reviewing and confirming claims that hackers could exploit vulnerabilities in St. Jude’s radio frequency-enabled heart implants to reprogram them to pace at dangerous rates or drain their batteries. 

The FDA said there are no known cases of patient harm stemming from the bugs found in devices.

Patients will need to visit their healthcare provider to install the firmware update, which takes about three minutes and is done by waving a telemetry wand over the implanted pacemaker. It can’t be installed via St. Jude’s Merlin@home application. 

The FDA warned there is a “very low risk of an update malfunction”. Based on Abbott’s data, there’s a 0.161 percent chance the update reloads old firmware due to an incomplete update; a 0.023 percent chance that the update will wipe programmed device settings; a not reported chance of loss of diagnostic data; and a 0.003 percent chance the device becomes bricked. 

The FDA also recommends pacing-dependent patients install the update where a backup pacemaker generator is nearby. It’s also recommending healthcare providers have a printout of device settings and diagnostics data in case of a botched update. 

Read more: ​US puts medical device patching under the microscope

All new pacemakers made from August 28 include the new firmware update. 

A spokeswoman for Abbott said it was “resolving all old St. Jude Medical issues”. 

St. Jude released a first round of security updates in January after working with the FDA and the DHS’s ICS-CERT to resolve the issues originally reported by short-seller Muddy Waters Capital and security firm MedSec. St. Jude Medical sued the two firms over the bug report last September. 

Muddy Waters believed the bugs could undermine a deal underway for Abbott to buy St. Jude for $25bn, but it went ahead anyway. 

About the TGA assessment

Abbott continues to work closely with TGA (Therapeutic Goods Administration) and has updated the agency on the developments. TGA has assessed the cybersecurity update, and has classified it as a safety alert and not as a recall. Abbott is engaging with customers and informing them of the updates per guidance from the TGA.  

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags medical devicesAbbott LaboratoriesSt. Jude Medical pacemakerPacemaker

More about Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts