Today, Abbott announced the latest in what it has described as a planned series of cybersecurity updates for the company’s implantable cardioverter defibrillators (ICDs). The voluntary recall reportedly applies to 382,000 devices in the U.S. alone, 350,000 of which are currently implanted in patients.
The FDA said in its simultaneous alert about the firmware update that it “..is intended as a corrective action (recall), to reduce the risk of patient harm due to premature battery depletion and potential exploitation of cybersecurity vulnerabilities for certain Abbott ICDs and CRT-Ds.” The Department of Homeland Security also released an advisory and said the vulnerabilities, if successfully exploited, “..may allow a nearby attacker to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD.” Abbott issued its first ICD update in August 2017, as did the FDA, and that voluntary recall reportedly covered 465,000 devices. HealthInfoSecurity said in its coverage of the original recall that it was the first of its kind for a network-connected implantable device due to cybersecurity vulnerabilities.
Warning bells should be ringing loudly right now. These kind of recalls will continue because the industry’s focus is primarily on enabling software patches for vulnerable medical devices. Beyond support for software updates (which can themselves become a threat surface from which medical devices can be compromised), the industry should look more holistically at the end-to-end security of the entire connected health solution. Thirdwayv is doing this across the solution’s complete lifecycle, from the factory to device delivery and use. It’s the only way to combat all of the threats facing today’s connected medical devices.
Until now, medical device recalls have been voluntary, no breaches have occurred, and no patients have been harmed. The industry needs to deliver the kind of comprehensive IoT healthcare security that makes sure this continues to be the case.