clear
Tuesday September 26th, 2017 8:34AM

US warns of unusual cybersecurity flaw in heart devices

By The Associated Press
Related Articles
  Contact Editor

WASHINGTON (AP) — The Homeland Security Department warned Tuesday about an unusual cybersecurity flaw for one manufacturer's implantable heart devices that it said could allow hackers to remotely take control of a person's defibrillator or pacemaker.

Information on the security flaw, identified by researchers at MedSec Holdings in reports months ago, was only formally made public after the manufacturer, St. Jude Medical, made a software repair available Monday. MedSec is a cybersecurity research company that focuses on the health-care industry.

The government advisory said security patches will be rolled out automatically over months to patients with a device transmitter at home, as long as it is plugged in and connected to the company's network. The transmitters send heart device data back to medical professionals.

Abbott Laboratories' St. Jude said in a statement it was not aware of deaths or injuries caused by the problem. The Food and Drug Administration also said there was no evidence patients were harmed.

The federal investigation into the problem started in August.

MedSec CEO Justine Bone said on Twitter that St. Jude's software fix did not address all problems in the devices.

St. Jude's devices treat dangerous irregular heart rhythms that can cause cardiac failure or arrest. Implanted under the skin of the chest, the devices electronically pace heartbeats and shock the heart back to its normal rhythm when dangerous pumping patterns are detected.

The company's Merlin@home Transmitter electronically sends details on the device's performance to a website where the patient's physician can review the information. But that device can also be hacked.

The FDA's review is ongoing, agency spokeswoman Angela Stark said. Its investigation confirmed the vulnerabilities of the home transmitter, which could potentially be hacked and used to rapidly deplete an implanted device battery, alter pacing and potentially administer inappropriate and dangerous shocks to a person's heart.

The software patch issued by St. Jude "addresses vulnerabilities that present the greatest risk to patients," Stark said.

Stark said the company is working to address remaining vulnerabilities quickly. She said any new cardiac devices submitted to the FDA for review that use the affected transmitter will not be cleared or approved without the software update.

St. Jude disclosed details about the problem after it merged with Abbott. The company has previously denied findings that their devices could be hacked and filed a lawsuit against Muddy Waters LLC and MedSec, alleging that they tried to manipulate the markets to profit from the vulnerability research disclosures.

The revelations about a hacker's ability to potentially gain remote access and affect even the workings of a human heart shed light on the pressing problems of cybersecurity in an increasingly networked world. The advisory also highlights the dilemma for security researchers who may feel an obligation to inform the public of possible dangers but don't want to cause unnecessary panic.

"Your average patient isn't going to be targeted by assassins," said Matthew Green, an assistant professor for computer science at Johns Hopkins University. He was hired by Muddy Waters to help validate the MedSec findings after St. Jude filed its lawsuit. "An attack on this level is low-probability but very high-impact." He called it "probably the most impactful vulnerability I've ever seen."

Green said many of the more severe vulnerabilities identified by MedSec for the devices themselves have not been fixed, but the new software would make the home system a little more secure.

The FDA has been urging manufacturers to update their products, software and security measures since at least 2013. However, agency guidelines issued last year are not binding. The FDA does not review the vast majority of cyber security updates made to devices, under its own rules intended to streamline medical device upgrades.

In 2015 the FDA issued two separate safety alerts to hospitals over drug pumps made by Hospira, now owned by Pfizer.

In the second notice, regulators told hospitals to stop using the company's Symbiq Infusion System after the company confirmed the system could be remotely hacked, allowing an outside party to potentially reprogram the drug pumps. The devices are used to slowly dose intravenous drugs for pain, infection, nutrition and other uses and are usually programmed through a wireless hospital network.

No patient injuries were reported in connection with the issue, but the agency urged users "to begin transitioning to alternative infusion systems as soon as possible."

Hospira discontinued the pumps for unrelated reasons prior to the FDA announcement, according to the agency.

___

Follow Tami Abdollah on Twitter at https://twitter.com/latams .

  • Associated Categories: Associated Press (AP), AP Online Headlines - Washington, AP Health, AP Business, AP Business - Corporate News, AP Business - Industries, AP Business - Health Care, AP Technology News
© Copyright 2017 AccessWDUN.com
All rights reserved. This material may not be published, broadcast, rewritten, or redistributed without permission.
Divers search McCain's flooded compartments for 10 sailors
The focus of the search for 10 U.S sailors missing after a collision between the USS John S. McCain and an oil tanker in Southeast Asian waters has shifted to the damaged destroyer's flooded compartments
5:34AM ( 9 minutes ago )
Afghan reaction mixed on Trump's tough-talking speech
President Trump's tough-talking speech calling out Pakistan for harboring insurgents gets mixed reaction in Afghanistan
5:25AM ( 18 minutes ago )
4 surviving Barcelona attack suspects appear in court
Four surviving alleged members of a terror cell accused of killing 15 people in attacks in Barcelona and a Spanish resort are appearing before a judge in Madrid
5:20AM ( 24 minutes ago )
Associated Press (AP)
Mattis: IS militants caught in Iraq-Syria military vise
U.S. Defense Secretary Jim Mattis says Islamic State militants are caught in a military vise that will squeeze them from both ends of the Euphrates River valley that bisects Iraq and Syria
4:01AM ( 1 hour ago )
Questions on immigration, race follow Trump to Arizona
President Donald Trump is trying to recapture the fervor that helped put him in office with a campaign-style rally in Arizona
3:43AM ( 2 hours ago )
The Latest: Afghan government applauds Trump speech
Afghanistan's government is applauding President Donald Trump's speech for focusing on needs and conditions instead of timelines
3:42AM ( 2 hours ago )
AP Online Headlines - Washington
VA seeks to funnel more nursing home money to rural areas
Veterans Affairs Secretary David Shulkin says his agency will propose changes to make it easier for rural areas to receive funding to build nursing homes for veterans
6:28PM ( 11 hours ago )
Record $417M award in lawsuit linking baby powder to cancer
A Los Angeles jury has ordered Johnson & Johnson to pay $417 million in a case to a woman who claimed in lawsuit that the talc in its iconic baby powder causes ovarian cancer when applied regularly for feminine hygiene
4:56PM ( 12 hours ago )
Jury awards record $417M in talcum powder-cancer lawsuit
A Los Angeles jury has ordered Johnson & Johnson to pay $417 million in a case to a woman who claimed in lawsuit that the talc in its iconic baby powder causes ovarian cancer when applied regularly for feminine hygiene
4:41PM ( 13 hours ago )
AP Health
USS McCain crash is 4th Navy accident in Pacific this year
USS McCain collision near Singapore is 4th U.S. Navy accident in Pacific this year
4:28AM ( 1 hour ago )
The Latest: Sailor's fiancee losing hope as search continues
Hopes of miracles are ebbing for the family and friends of the 10 missing sailors
3:58AM ( 1 hour ago )
The Latest: Divers to search flooded McCain compartments
The U.S. 7th Fleet says Navy and Marine Corps. divers have joined the search for 10 missing sailors and will access flooded compartments on the USS John S. McCain
2:32AM ( 3 hours ago )
AP Business
Attack victims came from around world to celebrate Barcelona
The victims of the vehicle attacks in Barcelona and a nearby resort town came from around the world and across generations
12:15PM ( 17 hours ago )
Russian flight attendant sues airline for discrimination
A Moscow court is due to rule on Tuesday in the case of a flight attendant who is suing Russia's flagship airline Aeroflot for taking her off the sought-after long-haul international flights because of her looks
10:11AM ( 19 hours ago )
China's Great Wall considers bid for Fiat Chrysler Jeep unit
Spokespeople for Chinese SUV maker Great Wall Motors say it is considering making a bid to buy Fiat Chrysler's Jeep unit, in a possible ambitious new step onto the global stage for China's fast-growing auto brands
6:37AM ( 23 hours ago )
AP Business - Corporate News
The Latest: Divers assessing damage on USS John S. McCain
The U.S. Navy says divers are assessing the damage to the hull of the USS John S. McCain after a collision ripped a gaping hole in the ship's side near the waterline
8:40PM ( 9 hours ago )
Navy chief orders probe into Pacific fleet after collisions
The U.S. Navy is ordering a broad investigation into the performance and readiness of the Pacific-based 7th Fleet, after two major ship collisions in two months
2:59PM ( 14 hours ago )
The Latest: Pentagon chief confirms Navy probe of accidents
U.S. Defense Secretary Jim Mattis confirms that the Navy will conduct a broad investigation into the collision in Southeast Asia between the USS John S. McCain and an oil tanker, and other recent Navy accidents at sea
1:53PM ( 15 hours ago )
AP Business - Industries
UnitedHealth CEO to step down after run of more than decade
UnitedHealth Group will change leaders next month by promoting long-time executive David Wichmann to CEO to replace Stephen Hemsley, who has led the nation's largest health insurer since 2006
3:37PM ( 5 days ago )
Asked to serve, some CEOs say no more to Trump
One resignation, then two more; under Trump, top US executives are leaving panels created to serve the president
7:26AM ( 6 days ago )
Bowing to pressure, Trump denounces hate groups by name
President Donald Trump is condemning the KKK, neo-Nazis and white supremacists as "criminals and thugs" and declaring "racism is evil."
11:15PM ( 1 week ago )
AP Business - Health Care
Tech companies continue efforts to banish extremist accounts
Tech companies continue efforts to banish extremist accounts
9:11PM ( 3 days ago )
Wisconsin Assembly passes $3 billion for Foxconn
With bipartisan support the Wisconsin Assembly has approved a $3 billion tax break for Taiwan-based Foxconn Technology Group to build a massive display panel factory in the state
7:34PM ( 4 days ago )
Apple CEO makes $2 million pledge to fight hate
Apple is donating $2 million to two human rights groups as part of CEO Tim Cook's pledge to help lead the fight against the hate that fueled the violence in Charlottesville, Virginia
5:49PM ( 4 days ago )
AP Technology News
Divers search McCain's flooded compartments for 10 sailors
The focus of the search for 10 U.S sailors missing after a collision between the USS John S. McCain and an oil tanker in Southeast Asian waters has shifted to the damaged destroyer's flooded compartments
5:34AM ( 10 minutes ago )
Afghan reaction mixed on Trump's tough-talking speech
President Trump's tough-talking speech calling out Pakistan for harboring insurgents gets mixed reaction in Afghanistan
5:25AM ( 18 minutes ago )
4 surviving Barcelona attack suspects appear in court
Four surviving alleged members of a terror cell accused of killing 15 people in attacks in Barcelona and a Spanish resort are appearing before a judge in Madrid
5:20AM ( 24 minutes ago )
The Latest: China scores points off McCain collision
China, Washington's main rival for influence in the Asia-Pacific, has seized on the collision of a U.S. destroyer to accuse the Navy of endangering maritime navigation in the region
5:14AM ( 29 minutes ago )
India's top court: Instant divorce among Muslims unlawful
India's Supreme Court says the Muslim practice that allows men to instantly divorce their wives is unconstitutional and has ordered the government to legislate an end to the practice
5:04AM ( 39 minutes ago )