Feature | EP Lab | August 29, 2017| Dave Fornell

Abbott, St. Jude Medical Fixes Cybersecurity Vulnerabilities of its Pacemakers, ICDs

Firmware update will prevent patient safety cyber security breaches and address ICD battery depletion issues

Abbott. St. Jude Medical has updated its firmware to address cybersecurity issues with its Allure Quadra MP and other EP devices

Abbott. St. Jude Medical has updated its firmware to address cybersecurity issues with its Allure Quadra MP and other EP devices.

August 29, 2017 — The U.S. Food and Drug Administration (FDA) approved a firmware update that is now available to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities involving certain Abbott (formerly St. Jude Medical) pacemakers and defibrillators. This updated software is intended to address a recall of these devices and an FDA corrective action involving these devices.    

The firmware update will be available beginning Aug. 29, 2017. Pacemakers manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device. The firmware update requires an in-person patient visit with a healthcare provider; it cannot be done from home via the Merlin.net patient monitoring device. The update process will take approximately three minutes to complete. The firmware update process is described in Abbott's Dear Doctor Letter issued on Aug. 28, 2017.

“As we’ve said previously, Abbott is resolving all old St. Jude Medical issues.” said Jonathon Hamilton, Abbott public affairs. “These planned updates further strengthen the security and device management tools for our connected cardiac rhythm management devices.”

The new device updates include a battery performance alert for the company’s implantable cardioverter defibrillators (ICDs) that provides physicians with earlier warning of the potential for the low risk of premature battery depletion. They also include a planned update to pacemaker firmware to add additional security protections designed to reduce the risk of unauthorized access to patients' pacemakers.

"Connected devices are having a significant positive impact for patients and their health," said Robert Ford, executive vice president, medical devices, Abbott. "To further protect our patients, Abbott has developed new firmware with additional security measures that can be installed on our pacemakers."

There have been no reports of unauthorized access to any patient's implanted device, according to an advisory issued by the U.S. Department of Homeland Security. Abbott said compromising the security of these devices would require a highly complex set of circumstances. The FDA said it reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.

Abbott said it is communicating with regulatory authorities worldwide to implement the new updates to the implantable devices. Abbott's recommendation, and that of its Cyber Security Medical Advisory Board, is that a patient have a conversation with their physician to determine if the update is right for them. Abbott will continue to make updates and product enhancements across its devices as part of the company's ongoing commitment to provide safe, effective and secure products for patients.

The FDA said many medical devices — including St. Jude Medical's implantable cardiac pacemakers — contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.

"All industries need to be constantly vigilant against unauthorized access," continued Ford.  "This isn't a static process, which is why we're working with others in the healthcare sector to ensure we're proactively addressing common topics to further advance the security of devices and systems."

Read an overview of medical device cybersecurity and the issues with Abbott's devices leading up to this firmware update in the article Raising the Bar for Medical Device Cyber Security.


No Reason to Explant SJM Pacemakers

The FDA and Abbott do not recommend prophylactic removal and replacement of affected devices. 

The FDA recommends doctors discussing the risks and benefits of the cybersecurity vulnerabilities and associated firmware update with patients at the next regularly scheduled visit. As part of this discussion, the FDA said it is important to consider each patient's circumstances, such as pacemaker dependence, age of the device, and patient preference and provide them with Abbott's Patient Communication.

The agency said physicians should determine if the update is appropriate for the given patient based on the potential benefits and risks. If deemed appropriate, install the firmware update following the instructions on the programmer. For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided. Also, providers should print or digitally store the programmed device settings and the diagnostic data in case of loss during the update. After the update, confirm that the device maintains its functionality, is not in backup mode and that the programmed parameters have not changed.


Abbott Addresses ICD Battery Performance Problems 

In October 2016, Abbott notified physicians and patients that a subset of ICD and cardiac resynchronization therapy defibrillator (CRT-D) devices manufactured between January 2010 and May 2015 could potentially experience premature battery depletion due to short circuits from lithium clusters.

The potential for premature battery depletion in the affected devices is low. The new battery performance alert can be used as a tool to further assist in identifying the potential for these devices to experience premature battery depletion.

More detailed information on the battery performance alert algorithm testing methods and performance can be found on the website www.sjm.com/batteryupdate.


Updated Pacemaker Firmware Addresses Cybersecurity Concerns

Abbott said the new pacemaker firmware update is part of Abbott's planned enhancements that began with updates announced in January 2017 to the [email protected] v8.2.2 software. The new updates provide an additional layer of security against unauthorized access to these devices. The update contains a software release that includes data encryption, operating system patches and the ability to disable network connectively features, in addition to the firmware update.

The pacemaker devices to which this update applies include the RF telemetry versions of the following devices in the U.S.: Accent SR RF, Accent MRI, Assurity, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF and Quadra Allure MP RF. 

This update will be released outside the U.S. following local regulatory approvals. Outside of the U.S., the pacemaker devices to which this update applies include the RF telemetry versions of the following devices: Accent SR RF, Accent ST, Accent MRI, Accent ST MRI, Assurity, Assurity+, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF, Quadra Allure MP RF, Quadra Allure and Quadra Allure MP.

Every pacemaker manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device and those devices will not need to be updated. Based on Abbott's consultation with the FDA, this update is being treated as a field action. However, Abbott and the FDA have both said the devices should continue to function as intended and replacement of implanted pacemaker devices is not recommended.

Abbott said it is communicating with the FDA, the U.S. Department of Homeland Security and global regulators, and works with leading independent security experts, to strengthen protections against unauthorized access to its devices. 

In part due to the cybersecurity issues of St. Jude Medical's electrophysiology (EP) devices revealed last year, the FDA has announced it plans to regulate medical device cyber security in the future. Read the article FDA Seeks Management of Cybersecurity in Medical Devices


Where to Find Information on the Abbott/St. Jude Medical Cybersecerity Updates

For more information about the pacemaker firmware update, please contact the dedicated hotline at (800) 722-3774 (U.S.). Abbott created has additional resources available to address questions from physicians and patients about these updates at www.sjm.com/cyberupdate and www.sjm.com/batteryupdate.

DAIC has created a cybersecurity channel that will include related news as it becomes available. 

For more information: www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm573854.htm


Here is a list of aggregated DAIC content about cybersecurity relating to cardiology — “The State of Healthcare Cyber Security.”


Related Content

Average Age of U.S. Cardiologists Up While Income is Down
News | Cardiovascular Business | October 25, 2018
Overall cardiology compensation has dropped for the first time since 2014, according to the sixth annual Cardiovascular...
American Heart Association and The Joint Commission Merge Cardiac Certification Programs
News | Cardiovascular Business | October 15, 2018
The nation’s two leading cardiac accreditation and certification organizations are joining forces to offer a single...
A hands-on-training session at TCT 2018 that instructed interventional cardiologists how to use an intra-cardiac echo (ICE) catheter to image the chambers inside the heart with a catheter based ultrasound imaging system.  The training area was sponsored by Siemens Healthineers

A Siemens-sponsored hands-on-training session at TCT 2018 that instructed interventional cardiologists how to use an intra-cardiac echo (ICE) catheter to image the chambers inside the heart with a catheter based ultrasound imaging system.  Regular training is needed to build customer satisfaction, especially in light of regular staff turnover.

Feature | Cardiovascular Business | October 10, 2018 | John Larson
Years ago, I owned a computer that ran a spreadsheet program called Lotus 1-2-3.
ZHealth Launches Etch Cardiovascular Coding Software
Technology | Cardiovascular Business | October 10, 2018
October 10, 2018 — Medical coding software provider ZHealth recently unveiled Etch, the first-ever software platform
GlobalData: Amazon Poised to Make Huge Strides in Healthcare
News | Cardiovascular Business | August 31, 2018
A new report from data and analytics company GlobalData suggests that Amazon is poised to make huge strides in...
CMS Proposes Overhaul of Medicare's Accountable Care Organization Program
News | Cardiovascular Business | August 09, 2018
The Centers for Medicare & Medicaid Services (CMS) issued a proposed rule August 9 that would overhaul the Medicare...
ECRI Institute Announces New Clinical Guideline Repository Website
News | Cardiovascular Business | July 27, 2018
July 27, 2018 — Following the deactivation of the National Guideline Clearinghouse (NGC) by the Agency for Healthcare
FDA Releases New Report Assessing Quality, Safety and Effectiveness of Medical Device Servicing
News | Cardiovascular Business | June 07, 2018
A new report from the U.S. Food and Drug Administration (FDA) discusses the continued quality, safety and effectiveness...
DAIC Editor Dave Fornell won the 2018 AZBEE national silver award for best blog for "The Future of Cardiology: 17 Technologies to Watch. DAIC magazine - diagnostic and interventional cardiology magazine.
News | Cardiovascular Business | May 14, 2018
May 14, 2018 — Diagnostic and Interventional Cardiology (DAIC) magazine was honored with a ...
FDA Announces New Medical Device Safety Action Plan
News | Cardiovascular Business | April 25, 2018
The U.S. Food and Drug Administration (FDA) released a new Medical Device Safety Action Plan outlining how the agency...
Overlay Init