Ongoing Hacking Risk With St Jude/Abbott Cardiac Devices: FDA

Liam Davenport


April 14, 2017

A software patch to fix cybersecurity vulnerabilities in implantable cardiac devices from St Jude Medical, now Abbott Laboratories, was not adequately tested before it was rolled out, the US Food and Drug Administration (FDA) has alleged in a warning letter[1] to the company posted yesterday.

Furthermore, St Jude, which was acquired by Abbott Laboratories on January 4 for $25 billion, is said to have underestimated the risk for sudden battery drainages in its Unify, Fortify, Assura, and Quadra product lines, potentially putting patients' lives at risk.

The FDA states that it wants proof within 15 business days of the letter that Abbott is taking corrective action.

The deputy director for FDA's regulatory affairs, Capt Sean M Boyd, MPH, alleges that the firm did not follow its own risk-assessment and safety procedures in either matter, and in the case of the battery drainage issue, presented incomplete information to its management review and medical advisory boards.

The FDA states that "prompt action" needs to be taken to correct the "violations" it has identified, and that failure to "promptly correct these violations may result in regulatory action being initiated by the FDA."

This could include seizures, injunction, and civil money penalties, as well as the issuance of warning letters to federal agents, "so that they may take this information into account when considering the award of contracts."

Capt Boyd adds that "premarket approval applications for class III devices" that are "reasonably related" to the issues identified "will not be approved until the violations have been corrected."

In January, the FDA issued a Safety Communication to St Jude Medical regarding cybersecurity vulnerabilities in its radio frequency–enabled implantable cardiac devices and Merlin@home Transmitter.

As reported by heartwire from Medscape, the FDA said that there were "vulnerabilities" in the devices that could allow an authorized user to remotely access the devices and "modify programming commands."

In response, St Jude issued a software patch to provide "additional validation and verification," which was automatically pushed to the Merlin@home Transmitter via the St Jude network.

However, the FDA alleges that St Jude, now Abbott, "failed to follow" its own procedures when conducting the risk assessment and corrective action and did not conduct a "full root-cause investigation" of the problem.

It is also alleged that the firm did not check that all the corrective actions had been completed, or indeed that the software patch was effective and "did not adversely affect the finished device."

The Merlin@home software is said not to have been fully tested and verified before it was rolled out, with St Jude specifically failing to check that the network ports could not be opened via an unauthorized access.

Moreover, St Jude did not incorporate a third-party risk assessment it commissioned in 2014 into its own security risk factors, the FDA says, leading to an overoptimistic risk assessment and failure to identify key vulnerabilities.

Safety Alert

The second area of concern identified in the letter centers on a safety alert the FDA issued in October about premature battery depletion in some of St Jude's implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators.

As reported at the time, the batteries in some devices in the Fortify, Unify, and Quadra product lines manufactured before May 2015 fully drained within a day of an elective replacement indicator alert, rather than after 3 months.

The current letter states that St Jude, now Abbott, underestimated the risks posed by the battery drainage, as it had only taken into account confirmed cases, rather than including the potential for unconfirmed cases.

This was despite receiving evidence from the battery supplier on the potential for premature battery depletion.

Furthermore, the FDA alleges that, although the firm stated on two occasions that there were no serious injuries or deaths directly related to the battery, the first death attributable to the problem occurred in August 2014.

After a recall of the affected devices in October 2016, a further 17 devices were shipped after that date, with seven implanted into patients.

Abbott has now to set out the steps it has taken to correct the issues identified, as well as to prevent similar problems in the future, within 15 days of receipt of the letter.

Warning that, otherwise, the reasons for any delay and a timeframe for completion must be provided, Capt Boyd adds: "Your firm's response should be comprehensive and address all violations included in this warning letter."

No conflicts of interest or funding declared.

For more from, follow us on Twitter and Facebook.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.