Pacemaker patch passes probe by US watchdog

The Doctor will see you now to re-program your St Jude implant

By Richard Chirgwin


It's probably the most crucial patch of the year: Abbott Laboratories' reworked firmware for its St Jude pacemakers has won the US Food and Drug Administration approval to ship.

According to the regulator's statement, the upgrade should go smoothly, nearly all the time.

Its statement says “installing the updated firmware could potentially result in the following malfunctions (including the rate of occurrence previously observed).” Here are the risks to which users will be exposed:

  • Reloading of previous firmware version due to incomplete update (0.161 percent),
  • Loss of currently programmed device settings (0.023 percent),
  • Loss of diagnostic data (none reported), and
  • Complete loss of device functionality (0.003 percent).

Problems with various pacemakers and the Merlin@Home control system, made by St Jude (which Abbott later acquired), first emerged when MedSec Holdings uncovered the bugs, shorted St Jude's shares, and then went public with its findings.

The Merlin@Home patch landed in January.

The pacemaker firmware flaws covered by the patch “could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

In approving the firmware, the FDA notes the upgrade means patients won't need new devices replacement. Instead they will have to attend their specialist, but the patch is applied using the RF wand that programs the pacemaker.

Abbott's letter (PDF) issued in conjunction with the FDA says the patch also includes data encryption, and disables network connectivity features. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

MedSec's St Jude pacemaker hacks confirmed by pen-tester

Bishop Fox report says Merlin@Home vulns are real and deadly

St Jude sues short-selling MedSec over pacemaker 'hack' report

Defibrillator security saga will go to court

Castaway hacker guilty of sedating children's hospital computers

He'll almost certainly get more than a three-hour tour after DDoS strike on medics

Muddying the waters of infosec: Cyber upstart, investors short medical biz – then reveal bugs

Analysis Some sharks wear suits and ties

MedSec's 'hackable pacemaker' report autopsy: Bombshell crash claim in doubt

No conclusive evidence of bricked devices, say uni experts

Pacemaker maker St Jude faces new security flaw claims from biz short-selling its stock

This is not the way to get vulnerabilities fixed

Nutanix finds Waters flows away

New corporate marketing head joins hyper-converged box and software shifter

Waters named HPE boss on his 40th b'day

For absence of doubt, we mean birthday

South China waters are red, Brit warships are blue, HMS Sutherland's sailing there

And Queen Lizzie will too

PayPal, Google ordered to make suspected pirates walk the plank into freezing waters

Follow the money: Florida judge signs off on new IP attack