Feature | EP Lab | August 29, 2017| Dave Fornell

Abbott, St. Jude Medical Fixes Cybersecurity Vulnerabilities of its Pacemakers, ICDs

Firmware update will prevent patient safety cyber security breaches and address ICD battery depletion issues

Abbott. St. Jude Medical has updated its firmware to address cybersecurity issues with its Allure Quadra MP and other EP devices

Abbott. St. Jude Medical has updated its firmware to address cybersecurity issues with its Allure Quadra MP and other EP devices.

August 29, 2017 — The U.S. Food and Drug Administration (FDA) approved a firmware update that is now available to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities involving certain Abbott (formerly St. Jude Medical) pacemakers and defibrillators. This updated software is intended to address a recall of these devices and an FDA corrective action involving these devices.    

The firmware update will be available beginning Aug. 29, 2017. Pacemakers manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device. The firmware update requires an in-person patient visit with a healthcare provider; it cannot be done from home via the Merlin.net patient monitoring device. The update process will take approximately three minutes to complete. The firmware update process is described in Abbott's Dear Doctor Letter issued on Aug. 28, 2017.

“As we’ve said previously, Abbott is resolving all old St. Jude Medical issues.” said Jonathon Hamilton, Abbott public affairs. “These planned updates further strengthen the security and device management tools for our connected cardiac rhythm management devices.”

The new device updates include a battery performance alert for the company’s implantable cardioverter defibrillators (ICDs) that provides physicians with earlier warning of the potential for the low risk of premature battery depletion. They also include a planned update to pacemaker firmware to add additional security protections designed to reduce the risk of unauthorized access to patients' pacemakers.

"Connected devices are having a significant positive impact for patients and their health," said Robert Ford, executive vice president, medical devices, Abbott. "To further protect our patients, Abbott has developed new firmware with additional security measures that can be installed on our pacemakers."

There have been no reports of unauthorized access to any patient's implanted device, according to an advisory issued by the U.S. Department of Homeland Security. Abbott said compromising the security of these devices would require a highly complex set of circumstances. The FDA said it reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.

Abbott said it is communicating with regulatory authorities worldwide to implement the new updates to the implantable devices. Abbott's recommendation, and that of its Cyber Security Medical Advisory Board, is that a patient have a conversation with their physician to determine if the update is right for them. Abbott will continue to make updates and product enhancements across its devices as part of the company's ongoing commitment to provide safe, effective and secure products for patients.

The FDA said many medical devices — including St. Jude Medical's implantable cardiac pacemakers — contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.

"All industries need to be constantly vigilant against unauthorized access," continued Ford.  "This isn't a static process, which is why we're working with others in the healthcare sector to ensure we're proactively addressing common topics to further advance the security of devices and systems."

Read an overview of medical device cybersecurity and the issues with Abbott's devices leading up to this firmware update in the article Raising the Bar for Medical Device Cyber Security.


No Reason to Explant SJM Pacemakers

The FDA and Abbott do not recommend prophylactic removal and replacement of affected devices. 

The FDA recommends doctors discussing the risks and benefits of the cybersecurity vulnerabilities and associated firmware update with patients at the next regularly scheduled visit. As part of this discussion, the FDA said it is important to consider each patient's circumstances, such as pacemaker dependence, age of the device, and patient preference and provide them with Abbott's Patient Communication.

The agency said physicians should determine if the update is appropriate for the given patient based on the potential benefits and risks. If deemed appropriate, install the firmware update following the instructions on the programmer. For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided. Also, providers should print or digitally store the programmed device settings and the diagnostic data in case of loss during the update. After the update, confirm that the device maintains its functionality, is not in backup mode and that the programmed parameters have not changed.


Abbott Addresses ICD Battery Performance Problems 

In October 2016, Abbott notified physicians and patients that a subset of ICD and cardiac resynchronization therapy defibrillator (CRT-D) devices manufactured between January 2010 and May 2015 could potentially experience premature battery depletion due to short circuits from lithium clusters.

The potential for premature battery depletion in the affected devices is low. The new battery performance alert can be used as a tool to further assist in identifying the potential for these devices to experience premature battery depletion.

More detailed information on the battery performance alert algorithm testing methods and performance can be found on the website www.sjm.com/batteryupdate.


Updated Pacemaker Firmware Addresses Cybersecurity Concerns

Abbott said the new pacemaker firmware update is part of Abbott's planned enhancements that began with updates announced in January 2017 to the [email protected] v8.2.2 software. The new updates provide an additional layer of security against unauthorized access to these devices. The update contains a software release that includes data encryption, operating system patches and the ability to disable network connectively features, in addition to the firmware update.

The pacemaker devices to which this update applies include the RF telemetry versions of the following devices in the U.S.: Accent SR RF, Accent MRI, Assurity, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF and Quadra Allure MP RF. 

This update will be released outside the U.S. following local regulatory approvals. Outside of the U.S., the pacemaker devices to which this update applies include the RF telemetry versions of the following devices: Accent SR RF, Accent ST, Accent MRI, Accent ST MRI, Assurity, Assurity+, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF, Quadra Allure MP RF, Quadra Allure and Quadra Allure MP.

Every pacemaker manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device and those devices will not need to be updated. Based on Abbott's consultation with the FDA, this update is being treated as a field action. However, Abbott and the FDA have both said the devices should continue to function as intended and replacement of implanted pacemaker devices is not recommended.

Abbott said it is communicating with the FDA, the U.S. Department of Homeland Security and global regulators, and works with leading independent security experts, to strengthen protections against unauthorized access to its devices. 

In part due to the cybersecurity issues of St. Jude Medical's electrophysiology (EP) devices revealed last year, the FDA has announced it plans to regulate medical device cyber security in the future. Read the article FDA Seeks Management of Cybersecurity in Medical Devices


Where to Find Information on the Abbott/St. Jude Medical Cybersecerity Updates

For more information about the pacemaker firmware update, please contact the dedicated hotline at (800) 722-3774 (U.S.). Abbott created has additional resources available to address questions from physicians and patients about these updates at www.sjm.com/cyberupdate and www.sjm.com/batteryupdate.

DAIC has created a cybersecurity channel that will include related news as it becomes available. 

For more information: www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm573854.htm


Here is a list of aggregated DAIC content about cybersecurity relating to cardiology — “The State of Healthcare Cyber Security.”


Related Content

Medicare will pay for telehealth virtual doctor visits during the duration of the coronavirus COVID-19 outbreak.
News | Cardiovascular Business | March 17, 2020
March 17, 2020 — The Trump Administration today announced expanded Medicare telehealth coverage that will enable bene
Recognized as the “Pulitzer Prize of the business press,” the Jesse H. Neal Award finalists are selected for exhibiting journalistic enterprise, service to the industry and editorial craftsmanship
News | Cardiovascular Business | February 19, 2020
February 19, 2020 — Connectiv, a division of The Software and Information Industry Association (SIIA), has announced
 Cath Lab Philips Azurion angiography PCI
News | Cardiovascular Business | December 30, 2019
December 30, 2019 — Most patients do not understand or recall information given to them before heart procedures.
Siemens Healthineers Acquires ECG Management Consultants
News | Cardiovascular Business | November 11, 2019
November 11, 2019 — ECG Management Consultants, a leading U.S.
Videos | Cardiovascular Business | September 30, 2019
A discussion with Ruth Fisher, MBA, vice president of the...
Scranton Gillette Communications Names Diagnostic and Interventional Cardiology Group Publisher and Integrated Media Consultant

Diane Vojcanin (left) was named vice president, group publisher, healthcare group, overseeing Imaging Technology News (ITN) and Diagnostic and Interventional Cardiology (DAIC). Andreja Slapsys (right) was named a healthcare group integrated media consultant.

News | Cardiovascular Business | September 06, 2019
Business-to-business communications company Scranton Gillette Communications has named Diane Vojcanin as vice president...
FDA Opens Proposal Solicitation Period for 2020 Experiential Learning Program
News | Cardiovascular Business | July 17, 2019
The U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) announced the 2020...
The Current Direction of Healthcare Reform Explained by CMS Administrator Seema Verma
News | Cardiovascular Business | June 11, 2019
Centers for Medicare and Medicaid Services (CMS) Administrator Seema Verma addressed the American Medical Association (...
DAIC Earns Azbee National Bronze Award for Social Media Presence
News | Cardiovascular Business | May 10, 2019
May 10, 2019 — Diagnostic and Interventional Cardiology (DAIC) earned a Bronze Award at the 2019 Na