- The FDA recently sent a warning letter to Abbott Labs, explaining that there were potential medical device cybersecurity issues with some of Abbott’s devices that were acquired with Abbott’s purchase of St. Jude Medical earlier this year.
Abbott Labs also failed to accurately implement the findings of a third-party risk assessment into its updated cybersecurity risk assessment for certain medical devices, the FDA explained.
The FDA inspected Abbott Labs from February 7 through February 17, 2017, and reviewed implantable cardioverter defibrillators, cardiac resynchronization therapy defibrillators, and the [email protected] monitor.
“This inspection revealed that these devices are adulterated within the meaning of section 501(h) of the Act, 21 U.S.C. § 351(h), in that the methods used in, or the facilities or controls used for, their manufacture, packing, storage, or installation are not in conformity with the current good manufacturing practice requirements of the Quality System (QS) regulation found at Title 21, Code of Federal Regulations (CFR), Part 820,” the FDA stated.
The FDA determined that while Abbott Labs did not properly implement the findings from a correction action and preventative action plan. A third-party risk assessment was performed, but not all required corrective and preventive actions were completed, the investigation found.
This included “a full root cause investigation and the identification of actions to correct and prevent recurrence of potential cybersecurity vulnerabilities, as required by your CAPA procedures.”
Abbott Labs reportedly also “did not confirm that verification or validation activities for the corrective actions had been completed, to ensure the corrective actions were effective and did not adversely affect the finished device,” according to the FDA.
Even though Abbott Labs responded to the original findings, the FDA noted that the organization’s response was not good enough.
“We have reviewed your response and conclude that it is not adequate,” the letter explained. “Your firm provided a summary of and implementation dates for several corrections, and corrective actions. However, in your firm’s response, you failed to consider systemic corrective actions and the necessary information to include evidence of implementation for your firm’s corrections, corrective actions, and systemic corrective actions.”
In terms of potential cybersecurity vulnerabilities, the FDA said that Abbott Labs “failed to accurately incorporate the findings of a third-party assessment” that was commissioned on April 2, 2014.
“Your firm’s updated Cybersecurity Risk Assessments… failed to accurately incorporate the third party report’s findings into its security risk ratings, causing your post-mitigation risk estimations to be acceptable, when, according to the report, several risks were not adequately controlled,” the FDA asserted.
In that same report, Abbott Labs found that its hardcoded universal unlock code was “an exploitable hazard” for Abbott’s High Voltage devices. However, Abbott Labs did not identify this risk control as a hazard, failing “to properly estimate and evaluate the risk associated with the hardcoded universal lock code.”
“Your firm provided a summary of, and implementation dates for, several corrections, corrective actions, and systemic corrective actions,” the FDA wrote. “However, in your firm’s response, you failed to provide evidence of implementation for your firm’s corrections, corrective actions and systemic corrective actions.”
The FDA urged Abbott Labs to “take prompt action” and address its findings. Failure to comply may lead to seizure, injunction, and civil money penalties.
The FDA also noted that its letter was not necessarily an all-inclusive list of Abbott Labs’ violations, and that the organization was still responsible for ensuring that it complies with any applicable laws and regulations.
“The specific violations noted in this letter and in the Inspectional Observations, FDA 483, issued at the close of the inspection may be symptomatic of serious problems in your firm’s manufacturing and quality management systems,” the FDA concluded. “Your firm should investigate and determine the causes of the violations, and take prompt actions to correct the violations and bring the products into compliance.”