FDA: Hackers could take control of connected cardiac devices

It's a sad truth, but if something can be connected to the internet, hackers will more than likely take a run at it. It doesn't matter if it's a children's toy or an essential medical device — if there's a vulnerability, chances are it can and will be exploited.

That was all too clear this week when the FDA issued a warning about the vulnerabilities of a series of connected implantable cardiac devices used by patients to relay their vitals to caregivers from home. The devices give affected patients and their doctors an invaluable level of connection outside the hospital — but even though there's no evidence of any attempts to break through the system, experts found the connection can be compromised.

The FDA's warning specifically focused on St. Jude Medical's Merlin@home Transmitter system. It's a home monitor that reads a patient's vitals, which are tracked by an implanted cardiac device like a pacemaker and continuously transmits the data to an online network that can be accessed by doctors.

While many cyber threats to the medical community have been centered on stealing records and information, this vulnerability could affect patients directly in much more insidious ways. If exploited, the FDA warned that an unauthorized party could possibly access a connected implanted cardiac device. After having gained access, the hacker could "modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."

St. Jude Medical's response

With patients' lives on the line, this could be a serious threat. Thankfully, these announcements were precautionary — St. Jude Medical reps declared in a statement they were "not aware of any cyber security incidents related to a St. Jude Medical device, nor is it aware that any specific St. Jude Medical device or system in clinical use has been purposely targeted."

The statement further affirmed that the information was shared as part of St. Jude Medical's commitment to "informing the public about these ongoing actions so that patients can continue to be confident about the benefits of remote monitoring."

In tandem with the public warning of the potential vulnerabilities, St. Jude Medical released a software patch to address the issue head on and close up the system's shortcomings. In the same statement that issued the original warning, the FDA declared the software patch sufficient, determining "that the health benefits to patients from continued use of the device outweigh the cybersecurity risks."

Threats in our connected future

With the prevalence of connected devices and the Internet of Things, these types of vulnerabilities will become more and more common. Digital security concerns are moving from just smartphones and laptops to just about everything with an on switch — with connected TVs already the norm and other household appliances following suit, staying vigilant of vulnerabilities will become even more important for companies and consumers alike.

For now, hackers aren't trying to take control of pacemakers, which should help us retain just a shred of faith in human decency. But as more devices come online, this type of focus on proactive security will be essential to stay safe in our connected future.