Health Canada reviewing fix to protect pacemakers from hackers - Action News
Home WebMail Tuesday, November 19, 2024, 05:11 PM | Calgary | -8.8°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Health

Health Canada reviewing fix to protect pacemakers from hackers

The U.S. Food and Drug Administration (FDA) has approved new firmware designed to correct a potential cybersecurity vulnerability that could theoretically allow unauthorized access to pacemakers implanted in patients.

Concerns about vulnerability of some Abbott/St. Jude medical devices to cyberattacks were raised last year

U.S. medical technology company Abbott, formerly St. Jude Medical, released a programming update to fix a security issue in the communication between some of its pacemakers and the computer networks they are connected to, which could theoretically leave them vulnerable to hackers. (Abbott)

Health Canada could take up to 75 days to decide whether to approve a programming fix aimed at a potential security flaw in pacemakers manufactured by Abbott, formerly called St. Jude Medical.

On Tuesday, the U.S. Food and Drug Administration (FDA) announced that it had approved an update to the pacemakers'"firmware" specialized software linked tohow adevice operatesdeveloped by Abbott.

The update is designed toprevent just any computer or device from communicating with the pacemaker unless it is authorized to do so the computer used by a patient's cardiologist, for example.

The pacemakers are connected to a computer network called Merlin.net, as well as to transmitters in patients' homes, so that their cardiologists and authorized health-care providers can monitor them.

Cardiologist Dr. Paul Dorian says he understands the emotional response to the notion of a cyberattack on devices implanted in the body, but says the risk of such an attack is 'theoretical' and the health benefits of having pacemakers connected to secure computer networks are enormous. (St. Michael's Hospital)

It is common practice for implanted medical devices to be connected to secure computer networks. But in August 2016, American healthcare cybersecurityfirm MedSecpublicly identified a "vulnerability" in the communication channel between the pacemakers and the home transmitters, which was later affirmed by the U.S. Department of Homeland Security.

"The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's website, Merlin.net, are not verified," the department said in an online advisory. "This may allow a remote attacker to access or influence communications."

The department acknowledged that such an attack would require "high skill" by a would-be hacker and that there had not been any known attacks.

However, both Homeland Security and the FDA, which also investigated the claims,agreedaction needed to be taken.That promptedAbbott's firmware update, which became available to physicians in the U.S. on August 29.

"[Unauthorized] access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing," said FDA spokesperson Stephanie Caccomo in an email to CBC News on Thursday.

"To address these vulnerabilities and improve patient safety, the FDA approved St. Jude Medical's firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm," she said.

'Vanishingly small' risk

The firmwareupdatewill be transmitted to patients' pacemakers by their cardiologists during an in-person visit.According to physician instructions provided by Abbott, the processwill take about three minutes and doesnot require removal of the pacemaker.

A spokesperson for Abbott confirmed on Thursday that the company was working with Health Canada to secure approval for theupdate and that the pacemakers are distributed in Canada,but was unable to provide the number of Canadians affected.

Health Canada approved Abbott's first attempt to fix the problem a software patch releasedin January 2017 but it did not fully address the cybersecurityvulnerability.

A spokesperson for Health Canada says the department has continued to work with the manufacturer and receiving "updates and information" since then.

Although it has set a targetof 75 days for a decision on whether the new firmware update will be approved, Health Canada is "expediting the review of the application, and will endeavour to reach a decision before the target date," media relations head Eric Morrissette said in an email.

A bald man in an orange shirt on a laptop.
Cybersecurity expert David Shipley, who is definitely not on Threads in this picture. For now, the latest offering from Meta is only available as an app on Android and iOS devices, which means you can't use it on desktop PCs and laptops. (Submitted by David Shipley)

"Health Canada takes the health and safety of Canadians very seriously. The device in question meets stringent Health Canada requirements for safety and effectiveness," he said.

The medicalbenefits of the pacemakers and the ability of physicians to monitorand adjust them through computer networks far outweighthe "vanishingly small" risk of a cyberattack, said Dr. Paul Dorian, a cardiac electrophysiologist at St. Michael's Hospital in Toronto and head of the division of cardiology at the University of Toronto.

Dorian has more than 30 years of experience working with cardiac defibrillators and said he isnotconcerned that the updated firmware isn't yet available in Canada and emphasized that patients shouldn't be either.

I would be personally very disappointed if peoplelost sleep over this,-Dr. Paul Dorian, cardiologist

If Health Canada approves Abbott's security fix and issues a formaladvisory to physicians, he said, cardiologists would likelyimplement it to minimize even the tiniest risk for patients, but would probably wait until their next scheduled appointment rather than calling them in specifically to receive the update.

"I would be personally very disappointed if [people] lost sleep over this," Dorian said.

'Playing catch up'

But even though the risk of a cyberattack on the medical devices may be extremely low, Canadiancybersecurityexpert David Shipley said Health Canada should be responding more quickly.

"It illustrates perfectly that cybersecurity is not just a technology problem," hesaid. "We have these incredibly complex, amazing new medical technologies rolling out but we didn't have the regulatory processes, checks and balances and frankly the due diligence to properly protect them. And now we're playing catch up."

Although the FDA was faster and more aggressive in its response, Shipley,who is the head of Beauceron Security based in Fredericton, N.B., said the process to prevent a potential security breachfirst identified almost a year agohas taken far too long.

"In my view, a year to patch something that could kill someone, despite the likelihood being low, is an unacceptably long timeframe."