According to a cybersecurity notice from the Food and Drug Administration, certain pacemakers and cardiac devices are currently vulnerable to hacking. Although security researchers have warned about the security risks to medical devices for years now, this is the first time we've seen the government publicly acknowledge a specific threat.
The vulnerable devices included under the FDA's warning are not the pacemakers themselves, but rather the Merlin@home Transmitters made by St. Jude Medical. The transmitters are part of a home monitor that connects to pacemakers and other implanted cardiac devices using a wireless RF signal. The Merlin is designed to read the data stored on a pacemaker and then upload that data to its own cloud on the Merlin.net Patient Care Network, where a physician can access and monitor the device and the patient's health. Although it doesn't mention specifics of the threat, the government acknowledges that Merlin monitors could be hacked to send modified commands to a patient's pacemaker or other device. With the right access, a hacker could do anything from deplete a pacemaker's battery to shocking a patient or throwing off their heartbeat.
On the bright side, the FDA says there have been no reported hacks and no patients have been harmed so far. To fix the problem, a software patch will be automatically applied over-the-air to affected Merlin@home devices starting today. Patients or their caregivers only need to ensure the devices are online and connected to get the fix.