Abbott Issues Software Update to Fix Pacemaker Hacking Risk

Megan Brooks

Disclosures

August 29, 2017

A software update designed to protect patients implanted with Abbott (formerly St Jude Medical) pacemaker devices from potential tampering by cyber criminals is now available, the US Food and Drug Administration (FDA) said today.

The firmware update, approved by the FDA last week, is a corrective action "to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers," the FDA said in a safety communication.

"If exploited," the FDA added, "[these vulnerabilities] could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing."

This is the second round of updates issued by Abbott.

The FDA recommends that patients and their healthcare providers discuss the risks and benefits of the cybersecurity vulnerabilities and the firmware update designed to address such vulnerabilities at their next regularly scheduled visit.

The devices addressed in today's safety communication are the following Abbott  pacemaker and cardiac resynchronization therapy pacemaker devices: Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure. The communication does not apply to any implantable cardiac defibrillators (ICDs) or to cardiac resynchronization ICDs.

To date, there are no known reports of patient harm related to the cybersecurity vulnerabilities in the 465,000 (US) implanted devices affected, the FDA said.

The firmware update requires an office visit. It cannot be done from home via Merlin.net. The update takes about 3 minutes to complete. During this time, the device will operate in backup mode (pacing at 67 beats per minute), and essential features will remain available, the FDA said. When the update is complete, the device will return to its pre-update settings.

The FDA and Abbott do not recommend prophylactic removal and replacement of affected devices.

The FDA said it's important to consider each patient's circumstances, such as pacemaker dependence, age of the device, and patient preference. "Determine if the update is appropriate for the given patient based on the potential benefits and risks. If deemed appropriate, install the firmware update following the instructions on the programmer," the FDA advises.

For pacing-dependent patients, they suggest that thought be given to performing the cybersecurity firmware update in a facility where a temporary pacing and pacemaker generator can be readily provided.  They also suggest printing or digitally storing the programmed device settings and the diagnostic data in case of loss during the update. "After the update, confirm that the device maintains its functionality, is not in backup mode, and that the programmed parameters have not changed," the FDA advises.

More information on the firmware update is available online or by contacting Abbott's hotline at 800-722-3774.

Risk Is "Constantly Evolving"

"Cybersecurity risks in networked medical devices are constantly evolving, which means medical device manufacturers and hospitals must be vigilant in the face of changing threats in order to protect patient safety," William Maisel, acting director of FDA's Office of Device Evaluation, said in a news release.

"Today's safety communication is part of the FDA's ongoing work with Abbott to ensure they are properly addressing identified cybersecurity risks and adequately protecting their devices against potential future cybersecurity vulnerabilities. Because all networked medical devices are potentially vulnerable to cybersecurity threats, the FDA has been working diligently with device manufacturers and other stakeholders to ensure the benefits of medical devices to patients continue to outweigh any potential cybersecurity risks," Maisel added.

As previously reported by Medscape Medical News, in January of this year, after months of reviewing information, the FDA confirmed there are "vulnerabilities" that, if exploited, could allow an unauthorized user to "remotely access a patient's radio-frequency-enabled implanted cardiac device by altering the Merlin@home Transmitter.

The FDA announcement came after months of speculation following claims in August 2016 by the San Francisco–based Muddy Waters Capital that St Jude's cardiac devices were susceptible to cyber attacks.

For more news, join us on Facebook and Twitter

Comments

3090D553-9492-4563-8681-AD288FA52ACE
Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as:

processing....