In an unprecedented move, the U.S. Food and Drug Administration has issued a voluntary recall notice for 465,000 pacemakers sold by Abbott Laboratories Inc., the medical device maker previously known as St. Jude Medical Inc.

Because swapping a pacemaker isn’t as simple as visiting a store and obtaining a new device over the counter, the recall requests that those with pacemakers made by the company visit their doctors for a firmware update. The new firmware has been made available to “reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities,” or put more simply, to prevent the pacemakers from getting hacked.

Potential security issues with pacemakers were first identified back in 2013. More recently, it has been discovered that the devices are often full of vulnerable code, allowing them not only to be hacked but also potentially to kill the user. The FDA released a set of recommendations for how device manufacturers should protect the security of Internet-connected medical devices in 2016.

The fundamental problem with modern pacemakers is that they employ remote access technology to allow a physician to monitor them without the need to physically access the device inside the user. With that wireless access, which can take the form of RF or WiFi, anyone within range could potentially connect to the pacemaker and cause trouble.

In the case of these specific pacemakers, the FDA said in a statement that vulnerabilities in St. Jude Medical’s RF-enabled implantable cardiac pacemakers could allow an unauthorized user to access a patient’s device using commercially available equipment. “This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the agency added.

The pacemakers affected by the recall include models using the names Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure. The process for a physician to update the firmware is supposed to take only three minutes, but the update does present a small chance of causing issues itself. The FDA noted that in less than 1 percent of updates, data may be lost and that there is a 0.003 percent chance that the firmware update may cause the pacemaker to cease working altogether.

Photo: Steven Fruitsmaak/Wikimedia Commons