Pacemakers vulnerable to cybersecurity flaws, FDA warns

Photo (c) SunnySideUp - Fotolia

Consumers who use an affected device are urged to to consider a recent firmware update

On Tuesday, the Food and Drug Administration (FDA) issued an advisory warning stating that 465,000 pacemakers currently in use in the U.S. have cybersecurity issues and are vulnerable to hacking, though the number of devices affected globally may be closer to 750,000.  

The agency says that patients with radio frequency (RF)-enabled implantable pacemakers, originally manufactured by St. Jude Medical and now owned by Abbot, could be harmed by hackers who can make the devices pace too quickly or run down the batteries. However, Abbot has said that it is not aware of any cases of this happening and that it would involve a “highly complex set of circumstances,” according to a BBC report.

All consumers who have had the devices implanted are urged to consider applying a firmware update with the assistance of their health care provider.

Installing the update and associated risks

The FDA says that the affected devices include several St. Jude Medical pacemaker and CRT-P devices, including Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure. However, the warning does not apply to implantable cardiac defibrillators (ICDs) or to cardiac resynchronization ICDs (CRT-Ds).

On August 23, the agency approved a firmware update intended to patch the cybersecurity vulnerabilities, and it later became available on August 29. Officials say that pacemakers manufactured beginning on August 28, 2017 will have the update pre-loaded.

The firmware update will require an in-patient visit to a health care provider and will only take around three minutes to complete. The FDA says that while the update is taking place, devices will operate in backup mode and will pace at 67 beats per minute while retaining essential, life-sustaining features. After the update is installed, the devices will revert back to their pre-update settings. However, officials warn that the firmware update does come with certain risks.

“As with any firmware update, there is a very low risk of an update malfunction. Based on St. Jude Medical’s previous firmware update experience, installing the update firmware could potentially result in…malfunctions,” the FDA said. These include:

  • A 0.161% chance of reloading a previous firmware version due to incomplete update;
  • A 0.023% chance of losing currently programmed device settings;
  • Loss of diagnostic data (none reported thus far); and
  • A 0.003% chance of complete loss of device functionality.


The FDA and Abbot both urge users NOT to prophylactically remove or replace affected devices. Instead, consumers should talk with their health care provider to determine if the update is appropriate based on potential risks and benefits and proceed accordingly.

If possible, the FDA says that pacing-dependent patients should perform the firmware update at a facility where temporary pacing and pacemaker generator can be readily provided. Users should also print or digitally store their device settings and diagnostic data in case it is lost during the update. Lastly, the agency says to make sure the device is still functioning, not in backup mode, and set to programmed parameters after the update is complete.

For more information about the firmware update, consumers can contact an Abbot representative at 1-800-722-3774 or visit the FDA's site here.

Find a Medical Alert System partner near you.