- Hackers could exploit a cybersecurity vulnerability in implantable cardiac defibrillators made by Abbott Laboratories (formerly St. Jude Medical) and endanger patient safety, according to a safety communication from the Food and Drug Administration (FDA).
Hackers could gain access through the devices’ radio frequency (RF) communications using commercial available equipment and issue commands, change settings, or perform other actions that could interfere with the function of the defibrillators.
If they gain access to the device, hackers could issue commands for inappropriate pacing or shocks that would cause patient injury or death. This interference could also cause rapid battery depletion, the FDA noted.
The products affected by the vulnerability are implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) under the names Fortify, Quadra, Unify, Promote, Ellipse, and Current.
The devices are implanted under the skin in the upper chest area with insulated wires that connect to the heart. They are designed to provide pacing for slow heart rhythms and electric shock to stop dangerously fast heart rhythms.
The FDA said it approved on April 11 a firmware update intended to fix the cybersecurity vulnerability in the RF-enabled defibrillators and to detect rapid battery depletion in the devices. It is recommending that patients receive the firmware update at their next regularly scheduled doctor’s visit.
The agency explained that the update process will take approximately three minutes to complete. During this time, the device will operate in backup mode (pacing at 67 beats per minute), and high voltage therapy will automatically be disabled.
At the beginning of the update process, there may be a pause of one to three seconds with no pacing during this period. At the completion of the update, the device will return to its pre-update settings with therapies on.
The FDA had previously identified the problem of rapid depletion of lithium batteries used by the devices. Deposits of lithium can form within the battery and result in abnormal electrical connections and battery failure.
“If the battery runs out, the ICD or CRT-D will be unable to deliver life-saving pacing or shocks, which could lead to patient death. The patients most at risk are those with a high likelihood of requiring life-saving shocks and those who are pacemaker dependent,” the FDA warned.
After installing the update, individuals or devices attempting to communicate with the defibrillators must provide authorization through the Merlin programmer and [email protected] transmitter.
Unfortunately, Current and Promote defibrillators cannot accept the update because of technical limitations, the FDA related. Instead, patients can use the Merlin Programmer to disable RF on the devices. But this will prevent the device from transmitting information to the doctor’s office for patients using the [email protected] transmitter.
The FDA cautioned that there was a “very low risk” that the device could malfunction during the updating process, resulting in patient discomfort due to the backup pacing settings, reloading of previous firmware version due to an incomplete update, inability to treat heart fibrillation while in backup mode, device remaining in backup mode due to an unsuccessful update, or loss of device settings or diagnostic data.
In an August 2017 firmware update of its implantable pacemakers, Abbott reported no serious events. Approximately 0.62 percent of devices experienced an incomplete update and remained in the backup pacing mode. However, the devices were restored to the prior firmware version or received the update successfully after Technical Services was contacted and intervened.
Around 0.14 percent of patients complained of diaphragmatic or pocket stimulation, or general discomfort for the time that the device was in the backup pacing mode. However, there have been no cases reported to Abbott where the device remained in backup mode following an attempted firmware update, the FDA related.
The FDA recommended that healthcare providers discuss the benefits and risks of the update with the patient at the next regularly scheduled visit. Providers should consider each patient's circumstances, such as pacemaker dependence, frequency of high voltage therapy, age of the device, and patient preference. The FDA said that it did not recommend removing or replacing the affected devices.
In a press release, Abbott stressed that there have been no reports of hackers successfully gaining access to the implantable defibrillators. "Technology and its security are always evolving, and this firmware upgrade is part of our commitment to ensuring our products include the latest advancements and protections for patients," said Abbott Executive Vice President for Medical Devices Robert Ford.