To discuss software problems and their effect on pacemakers an overview of their "ecosystem" might be helpful.
The ecosystem of Cardiovascular implantable electronic devices(CIEDs) consists of the device , which is a pacemaker (PM) or Implantable cardioverter defibrillator,ICD),a programmer in the doctor's office,a home monitor,a cloud server and central achieving unit ,and proprietary software in the physician's office and often with a third party vendor who interprets interrogation reports for the physician.
More details: The CIED communicates with the monitor with an inductive coil telemetry (ICT) method or a radiofreqency (RF) at 402 -405 band, which is known as the MICS ( Medical implant communication service).The data received by the monitor is then transmitted by VPN to the PM company server where it can be accessed by the physician's office or a third party service vendor which include among others :Rhythm 360,Ambucor and Cardiac RMS solutions,
An important aspect of the ecosystem is that the CIED cannot be reprogrammed remotely. The patient has to have an in office doctor visit and have programming change or firmware update done by the programmer. This may be considered more of a feature than a bug as it provides an important level of security.In the doctor's office the programmers uses ICT to retrieve a token key which is then used to generate a session key. Importantly only the programmer can terminate the session so a careless tech could leave the channel open leading to CIED battery drainage or a pathway for hacking.
In the last few years software problems have affected hundreds of thousands of CIEDs manufactured by Abbott ( formerly St. Jude) and Medtronic.
On August 29,2017 the FDA issued a safety communication for 6 models of Abbott pacemakers (Accent,Anthem,Accent MRI, Accent ST,Assurity,Allure). Dr. Subrat Das and co authors in their 2020 article (see reference (1),full text on line) graphically (see their figure 3) illustrate the time lag between the FDA communication of a cyberattack vulnerability and the actions by the pacemaker manufacturers.
A firmware update was required to fix a cybersecurity vulnerability that could allow an hacker to access the devices potentially harming the patients by causing rapid battery depletion or pacing problems.Patients would need to go to their physician/s office for the update as CIEDs cannot be programmed remotely.
At that time and as far as I determine by internet search no harm has occurred to a CIED patient by hacking into the units. However 3 instances of software malfunction was reported by one group of physicians from Mayo Clinic (2) in one week in their effort to upload the firmware (version 23.1.1.) fix.So the fix itself possibly was a threat to patients in the course of the updating particularly those who were PM dependent .In one case there was a 4 second pause in pacing and and increase in the battery current .In another the pacemaker mode was changed from the DDDR setting to DOO and assistance from the company engineering team was needed to restore the original mode setting. In patients who were pacemaker dependent it was a choice between eliminating a very remote risk (a cyberattack harming the patient) and the risk of a problem encountered during the process of updating the firmware.
Later,(April 2018) Abbott issued wider application of the security patch, this time involving 350,000 ICDs and CRT units.
In 2018 a cybersecurity vulnerability was discovered in Medtronic's method for their Carelink programmers receiving updates over the internet.The vulnerabilities was linked to use of a outdated operating system (Windows XP) and lack of digital code signing during the updates. Medtronic solution at that time was not to fix their internet communication system but rather the more hands on and arguably more hacking resistant method of insertion of a jump drive into the USB port on the programmers to supply the update.
In 2019 Medtronic notified physicians that some of their PM and ICD models (manufactured between October 2018 and April 2019) were reporting erroneously short battery life estimates. This involved approximately 53,000 units .Apparently there no serious event because of this and a software patch was said to be available sometime in 2020. The error resided in the programmers and the computational programs on Medtronic's Carelink system and not in the CIED and there was no actual effect on battery life.
Also in January 2019 150,00 of Medtronic models Adapta,Versa and Sensia ( manufactured between March 2017 and Jan 2019) were recalled because of a software error to an integrated circuit.See here for Medtronic Urgent recall notice)
This problem was said by Medtronic to be due to "a design change in an integrated circuit , i.e. another programming error. This glitch under certain pacing setting could lead to pausing in pacing in when in a dual pacing mode. Medtronic said they estimated a software fix could be sent to FDA for approval by the second half of 2019.So help was on the way but not quickly and in some circumstances (patient with no ventricular escape rhythm and who did not tolerate an asynchronous mode) PM replacement was the only option. In this case a programming error would lead to PM replacement, an example of extreme downstream effect of a programing error.
The Medtronic battery life estimation error mentioned above should not be confused with a actual premature serious battery drainage problem experienced by Medtronic pacemakers also in 2019 leading to at least one death. A report in 2019 indicated there had been three medical reports in which the pacemaker was completely drained as a result of damage to the unit's capacitor. The devices potentially affected were 131,000 units of the following models; Astra,Azure,Percepta,Serena Solara.
This poses a vexing problem to patients with those units and their EP cardiologists. There was/is no way to know which devices have damaged capacitors only that certain models were vulnerable to that problem. Pacemaker replacement is far from a risk free procedure and the FDA was not recommending prophylactic replacement. Medtronic began using a different capacitor and a better method to detect capacitor failure.The psychological impact on a patient knowing that they have a pacemaker model that might suddenly loose battery power should not be underestimated.
Medtronic pacemakers have a feature not shared by other PM manufacturers.When the PM reaches ERT , a mode shift occurs and the PM is shifted into VVI mode at a fixed rate of 65.This is an asynchronous mode and may result in a syndrome called pacemaker syndrome.See here for details about this situation in which a programmed feature may cause serious symptoms while the PM is functioning as it was designed to do. What some would consider a bug is actually a feature in the eys of the pace maker manufacturer.
1)Das S et al Cybersecurity:The need for data and patient safety with cardiac implantable electronic devices, Heart Rhythm 2020 1-9 , (full text on line)
2)Lee,JZ et al Pacemaker firmware update and interrogation malfunction.Heart Rhythm case reports, vol5,#4, 213-216,April2019
addendum 12/24/20. Additional paragraph added with link.