Pacemaker patch passes probe by US watchdog

The Doctor will see you now to re-program your St Jude implant

By Richard Chirgwin

Posted in Security, 30th August 2017 06:27 GMT

It's probably the most crucial patch of the year: Abbott Laboratories' reworked firmware for its St Jude pacemakers has won the US Food and Drug Administration approval to ship.

According to the regulator's statement, the upgrade should go smoothly, nearly all the time.

Its statement says “installing the updated firmware could potentially result in the following malfunctions (including the rate of occurrence previously observed).” Here are the risks to which users will be exposed:

  • Reloading of previous firmware version due to incomplete update (0.161 percent),
  • Loss of currently programmed device settings (0.023 percent),
  • Loss of diagnostic data (none reported), and
  • Complete loss of device functionality (0.003 percent).

Problems with various pacemakers and the Merlin@Home control system, made by St Jude (which Abbott later acquired), first emerged when MedSec Holdings uncovered the bugs, shorted St Jude's shares, and then went public with its findings.

The Merlin@Home patch landed in January.

The pacemaker firmware flaws covered by the patch “could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

In approving the firmware, the FDA notes the upgrade means patients won't need new devices replacement. Instead they will have to attend their specialist, but the patch is applied using the RF wand that programs the pacemaker.

Abbott's letter (PDF) issued in conjunction with the FDA says the patch also includes data encryption, and disables network connectivity features. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

MedSec's St Jude pacemaker hacks confirmed by pen-tester

Bishop Fox report says Merlin@Home vulns are real and deadly

St Jude sues short-selling MedSec over pacemaker 'hack' report

Defibrillator security saga will go to court

Muddying the waters of infosec: Cyber upstart, investors short medical biz – then reveal bugs

Analysis Some sharks wear suits and ties

MedSec's 'hackable pacemaker' report autopsy: Bombshell crash claim in doubt

No conclusive evidence of bricked devices, say uni experts

Pacemaker maker St Jude faces new security flaw claims from biz short-selling its stock

This is not the way to get vulnerabilities fixed

Nutanix finds Waters flows away

New corporate marketing head joins hyper-converged box and software shifter

Waters named HPE boss on his 40th b'day

For absence of doubt, we mean birthday

File sharers Dropbox latest US tech startup to stick toe in IPO waters

Stock market launches can be hazardous to your value

Sophos waters down 'NHS is totally protected' by us boast

Updated Watered down homeopathy for computers is more powerful, m'kay?

Thailand waters down alien-tracking plan

Resident aliens, that is. But tourists are still in trouble if they buy local SIMs