The Homeland Security Department warned about an unusual cybersecurity flaw for one manufacturer’s implantable heart devices that it said could allow hackers to remotely take control of a person’s defibrillator or pacemaker.
Information on the security flaw, identified by researchers at MedSec Holdings in reports months ago, was only formally made public after the manufacturer, St. Jude Medical, made a software repair available Monday. MedSec is a cybersecurity research company that focuses on the health-care industry.
The government advisory said security patches will be rolled out automatically over months to patients with a device transmitter at home, as long as it is plugged in and connected to the company’s network. The transmitters send heart device data back to medical professionals.
Abbott Laboratories’ St. Jude said in a statement it was not aware of deaths or injuries caused by the problem. The Food and Drug Administration also said there was no evidence patients were harmed.
The federal investigation into the problem started in August.
MedSec CEO Justine Bone said on Twitter that St. Jude’s software fix did not address all problems in the devices.
St. Jude’s devices treat dangerous irregular heart rhythms that can cause cardiac failure or arrest. Implanted under the skin of the chest, the devices electronically pace heartbeats and shock the heart back to its normal rhythm when dangerous pumping patterns are detected.