Matthew Rosenquist
Moderator
Software updates are becoming more painful. 465k pacemaker patients have been told they need a security patch.
The U.S. Food and Drug Administration (FDA) has issued a safety communication indicating a firmware update was necessary to address cybersecurity vulnerabilities in Abbott’s Implantable cardiac pacemakers. Abbott (formerly St. Jude Medical) published an open letter to doctors which stated:
"If there were a successful attack, an unauthorized individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability, and those unauthorized commands could modify device settings (e.g., stop pacing) or impact device functionality,"
According to Abbott, there have been no reports of device compromise related to these vulnerabilities, they are recommending a firmware update by professionals to update the device to newer software. The update cannot be delivered remotely, requiring patients to visit doctors in a facility that has proper equipment to service the patient in the unlikely event of an update failure.
This is an unfortunate and unnerving problem, far different than the updates to our phones, personal computers, or tablets. It is an example that has grave potential consequences. It will not be the last.
We are going to see more and more update notifications for medical and other IoT devices that impact life-safety. Modern society is at a point where the flood-gates of discovered device vulnerabilities may begin to open over the next few years, as a result of more technology being used in our everyday lives and connectivity coming under scrutiny by security researchers, regulators, and attacker communities. Now is the time for people and industries to contemplate the risks and maneuver early to greatly improve cybersecurity in products that we trust with our health, prosperity, and safety.
Image Source: St Jude Medical - Newsroom - Media Kits - Heart Failure - United States
Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.
The U.S. Food and Drug Administration (FDA) has issued a safety communication indicating a firmware update was necessary to address cybersecurity vulnerabilities in Abbott’s Implantable cardiac pacemakers. Abbott (formerly St. Jude Medical) published an open letter to doctors which stated:
"If there were a successful attack, an unauthorized individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability, and those unauthorized commands could modify device settings (e.g., stop pacing) or impact device functionality,"
According to Abbott, there have been no reports of device compromise related to these vulnerabilities, they are recommending a firmware update by professionals to update the device to newer software. The update cannot be delivered remotely, requiring patients to visit doctors in a facility that has proper equipment to service the patient in the unlikely event of an update failure.
This is an unfortunate and unnerving problem, far different than the updates to our phones, personal computers, or tablets. It is an example that has grave potential consequences. It will not be the last.
We are going to see more and more update notifications for medical and other IoT devices that impact life-safety. Modern society is at a point where the flood-gates of discovered device vulnerabilities may begin to open over the next few years, as a result of more technology being used in our everyday lives and connectivity coming under scrutiny by security researchers, regulators, and attacker communities. Now is the time for people and industries to contemplate the risks and maneuver early to greatly improve cybersecurity in products that we trust with our health, prosperity, and safety.
Image Source: St Jude Medical - Newsroom - Media Kits - Heart Failure - United States
Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.