- A recent firmware update was created in an effort to reduce potential harm from cybersecurity vulnerabilities in certain Abbott pacemakers. The FDA approved the update, saying patients and providers should discuss the firmware update at their next regularly scheduled visit.
The devices at the center of the cybersecurity concern involved implantable cardiac pacemakers, including cardiac resynchronization therapy pacemaker (CRT-P) devices. Formerly St. Jude Medical devices, the pacemakers provide pacing for slow or irregular heart rhythms, according to the FDA.
“Many medical devices - including St. Jude Medical's implantable cardiac pacemakers - contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits,” the FDA explained in a safety communication. “As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”
The FDA sent a warning letter to Abbot Labs in April 2017, citing concerns with medical device cybersecurity. Along with the potential vulnerabilities, Abbott Labs reportedly failed to accurately implement the findings of a third-party risk assessment into its updated cybersecurity risk assessment for certain medical devices.
“This inspection revealed that these devices are adulterated within the meaning of section 501(h) of the Act, 21 U.S.C. § 351(h), in that the methods used in, or the facilities or controls used for, their manufacture, packing, storage, or installation are not in conformity with the current good manufacturing practice requirements of the Quality System (QS) regulation found at Title 21, Code of Federal Regulations (CFR), Part 820,” the FDA said in its letter.
The third-party assessment was commissioned on April 2, 2014, but Abbott “failed to accurately incorporate the third party report’s findings into its security risk ratings.” Several risks were therefore not adequately controlled, according to the FDA.
At the time, the agency also urged Abbott Labs to “take prompt action.”
“Failure to promptly correct these violations may result in regulatory action being initiated by the FDA without further notice,” the April 2017 letter read. “These actions include, but are not limited to, seizure, injunction, and civil money penalties.”
While there are no known cases of patients being harmed from the potential cybersecurity vulnerabilities, FDA said in its safety communication that the issues still needed to be addressed.
“St. Jude Medical has developed and validated this firmware update as a corrective action (recall) for all of their RF-enabled pacemaker devices, including cardiac resynchronization pacemakers,” the FDA stated. “The FDA has approved St. Jude Medical's firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm.”
There might also be malfunctions when performing the firmware update, the FDA cautioned, which could include the following:
- Reloading of previous firmware version due to incomplete update (0.161 percent)
- Loss of currently programmed device settings (0.023 percent)
- Loss of diagnostic data (none reported)
- Complete loss of device functionality (0.003 percent).
The update requires an in-person visit, and will take approximately three minutes, according to the FDA.
“During this time, the device will operate in backup mode (pacing at 67 beats per minute), and essential, life-sustaining features will remain available,” the agency explained. “At the completion of the update, the device will return to its pre-update settings.”
Neither the FDA nor Abbott recommend prophylactic removal of or replacing the affected devices. Patients and providers should also discuss each patient's circumstances, such as pacemaker dependence, age of the device, and patient preference.
“Determine if the update is appropriate for the given patient based on the potential benefits and risks,” the FDA advised. “If deemed appropriate, install the firmware update following the instructions on the programmer.”
Entities should confirm a device remains functional after the firmware update and that it is not in backup mode. It should also be verified that the program parameters remain the same.
“The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” the FDA stated. “However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery.”
The agency concluded that it will continue to work with manufacturers, healthcare providers, security researchers, and other government agencies “to develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle.”
“Prompt reporting of adverse events can help the FDA identify and better understand the risks related to the use of medical devices,” the FDA concluded. “Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities.”
UPDATE: On August 31, 2017, Abbott issued a statement to HealthITSecurity.com.
“Today, Abbott notified physicians of updates to its implantable pacemakers and defibrillators as part of its ongoing commitment to continuously improve patient care,” the statement read.
“The new device updates include a Battery Performance Alert for our implantable cardioverter defibrillators (ICDs) that provides physicians with earlier warning of the potential for the low risk of premature battery depletion. They also include a planned update to pacemaker firmware (a kind of software) to add additional security protections designed to reduce the risk of unauthorized access to patients' pacemakers.”
Abbott reiterated that there have been no reported cases of a patient’s implanted device being accessed by an unauthorized party. The company is also “communicating with regulatory authorities worldwide to implement the new updates to the implantable devices.”
Abbott Executive VP of Medical Devices Robert Ford stated that all industries must remain vigilant in protecting against unauthorized access.
"This isn't a static process, which is why we're working with others in the healthcare sector to ensure we're proactively addressing common topics to further advance the security of devices and systems,” Ford said.