Feature | EP Lab | August 29, 2017| Dave Fornell

Abbott, St. Jude Medical Fixes Cybersecurity Vulnerabilities of its Pacemakers, ICDs

Firmware update will prevent patient safety cyber security breaches and address ICD battery depletion issues

Abbott. St. Jude Medical has updated its firmware to address cybersecurity issues with its Allure Quadra MP and other EP devices

Abbott. St. Jude Medical has updated its firmware to address cybersecurity issues with its Allure Quadra MP and other EP devices.

August 29, 2017 — The U.S. Food and Drug Administration (FDA) approved a firmware update that is now available to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities involving certain Abbott (formerly St. Jude Medical) pacemakers and defibrillators. This updated software is intended to address a recall of these devices and an FDA corrective action involving these devices.    

The firmware update will be available beginning Aug. 29, 2017. Pacemakers manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device. The firmware update requires an in-person patient visit with a healthcare provider; it cannot be done from home via the Merlin.net patient monitoring device. The update process will take approximately three minutes to complete. The firmware update process is described in Abbott's Dear Doctor Letter issued on Aug. 28, 2017.

“As we’ve said previously, Abbott is resolving all old St. Jude Medical issues.” said Jonathon Hamilton, Abbott public affairs. “These planned updates further strengthen the security and device management tools for our connected cardiac rhythm management devices.”

The new device updates include a battery performance alert for the company’s implantable cardioverter defibrillators (ICDs) that provides physicians with earlier warning of the potential for the low risk of premature battery depletion. They also include a planned update to pacemaker firmware to add additional security protections designed to reduce the risk of unauthorized access to patients' pacemakers.

"Connected devices are having a significant positive impact for patients and their health," said Robert Ford, executive vice president, medical devices, Abbott. "To further protect our patients, Abbott has developed new firmware with additional security measures that can be installed on our pacemakers."

There have been no reports of unauthorized access to any patient's implanted device, according to an advisory issued by the U.S. Department of Homeland Security. Abbott said compromising the security of these devices would require a highly complex set of circumstances. The FDA said it reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.

Abbott said it is communicating with regulatory authorities worldwide to implement the new updates to the implantable devices. Abbott's recommendation, and that of its Cyber Security Medical Advisory Board, is that a patient have a conversation with their physician to determine if the update is right for them. Abbott will continue to make updates and product enhancements across its devices as part of the company's ongoing commitment to provide safe, effective and secure products for patients.

The FDA said many medical devices — including St. Jude Medical's implantable cardiac pacemakers — contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.

"All industries need to be constantly vigilant against unauthorized access," continued Ford.  "This isn't a static process, which is why we're working with others in the healthcare sector to ensure we're proactively addressing common topics to further advance the security of devices and systems."

Read an overview of medical device cybersecurity and the issues with Abbott's devices leading up to this firmware update in the article Raising the Bar for Medical Device Cyber Security.

 

No Reason to Explant SJM Pacemakers

The FDA and Abbott do not recommend prophylactic removal and replacement of affected devices. 

The FDA recommends doctors discussing the risks and benefits of the cybersecurity vulnerabilities and associated firmware update with patients at the next regularly scheduled visit. As part of this discussion, the FDA said it is important to consider each patient's circumstances, such as pacemaker dependence, age of the device, and patient preference and provide them with Abbott's Patient Communication.

The agency said physicians should determine if the update is appropriate for the given patient based on the potential benefits and risks. If deemed appropriate, install the firmware update following the instructions on the programmer. For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided. Also, providers should print or digitally store the programmed device settings and the diagnostic data in case of loss during the update. After the update, confirm that the device maintains its functionality, is not in backup mode and that the programmed parameters have not changed.

 

Abbott Addresses ICD Battery Performance Problems 

In October 2016, Abbott notified physicians and patients that a subset of ICD and cardiac resynchronization therapy defibrillator (CRT-D) devices manufactured between January 2010 and May 2015 could potentially experience premature battery depletion due to short circuits from lithium clusters.

The potential for premature battery depletion in the affected devices is low. The new battery performance alert can be used as a tool to further assist in identifying the potential for these devices to experience premature battery depletion.

More detailed information on the battery performance alert algorithm testing methods and performance can be found on the website www.sjm.com/batteryupdate.

 

Updated Pacemaker Firmware Addresses Cybersecurity Concerns

Abbott said the new pacemaker firmware update is part of Abbott's planned enhancements that began with updates announced in January 2017 to the [email protected] v8.2.2 software. The new updates provide an additional layer of security against unauthorized access to these devices. The update contains a software release that includes data encryption, operating system patches and the ability to disable network connectively features, in addition to the firmware update.

The pacemaker devices to which this update applies include the RF telemetry versions of the following devices in the U.S.: Accent SR RF, Accent MRI, Assurity, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF and Quadra Allure MP RF. 

This update will be released outside the U.S. following local regulatory approvals. Outside of the U.S., the pacemaker devices to which this update applies include the RF telemetry versions of the following devices: Accent SR RF, Accent ST, Accent MRI, Accent ST MRI, Assurity, Assurity+, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF, Quadra Allure MP RF, Quadra Allure and Quadra Allure MP.

Every pacemaker manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device and those devices will not need to be updated. Based on Abbott's consultation with the FDA, this update is being treated as a field action. However, Abbott and the FDA have both said the devices should continue to function as intended and replacement of implanted pacemaker devices is not recommended.

Abbott said it is communicating with the FDA, the U.S. Department of Homeland Security and global regulators, and works with leading independent security experts, to strengthen protections against unauthorized access to its devices. 

In part due to the cybersecurity issues of St. Jude Medical's electrophysiology (EP) devices revealed last year, the FDA has announced it plans to regulate medical device cyber security in the future. Read the article FDA Seeks Management of Cybersecurity in Medical Devices

 

Where to Find Information on the Abbott/St. Jude Medical Cybersecerity Updates

For more information about the pacemaker firmware update, please contact the dedicated hotline at (800) 722-3774 (U.S.). Abbott created has additional resources available to address questions from physicians and patients about these updates at www.sjm.com/cyberupdate and www.sjm.com/batteryupdate.

DAIC has created a cybersecurity channel that will include related news as it becomes available. 

For more information: www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm573854.htm

 

Here is a list of aggregated DAIC content about cybersecurity relating to cardiology — “The State of Healthcare Cyber Security.”

 

Related Content

New Siemens Healthineers Dashboard Application Provides Insights into Cardiology Operations
Technology | Analytics Software| December 11, 2017
Siemens Healthineers has launched teamplay Cardio, a new cardiology dashboard application within the Siemens...
Stereotaxis Receives Regulatory Approval of e-Contact Module in Canada
Technology | Ablation Systems| December 08, 2017
December 7, 2017 — Stereotaxis Inc.
Edwards Acquires Harpoon Medical
News | Heart Valve Technology| December 07, 2017
December 7, 2017 — Edwards Lifesciences Corp.
New data on the Corvia intra-atrial shunt to treat diastolic heart failure were presented at the recent 2017 American Heart Association (AHA) Scientific Sessions. It was the most popular story in November.

New data on the Corvia intra-atrial shunt to treat diastolic heart failure were presented at the recent 2017 American Heart Association (AHA) Scientific Sessions. It was the most popular story in November.

Feature | December 06, 2017 | Dave Fornell
Here is the list of the most popular articles and videos on the Diagnostic and Interventional Cardiology (DAIC) magaz
Congressional Budget Office Finds cutting ACA insurance mandate will cause 13 million people to become uninsured, higher insurance premiums. American Heart Association (AHA), #AHA2017
News | Business| December 06, 2017
December 6, 2017 — At the American Heart Association (AHA) annual meeting in November, a group of 16 non-partisan pat
Fujifilm Introduces Artificial Intelligence Initiative for U.S. Market at RSNA 2017
News | Artificial Intelligence| December 04, 2017
Fujifilm Medical Systems U.S.A. Inc. announced the expansion of the company's artificial intelligence (AI) development...
Vital Unveils Newest Vitrea Advanced Visualization Release at RSNA 2017
Technology | Advanced Visualization| December 04, 2017
December 4, 2017 — Vital Images unveiled the newest version of Vitrea...
Research team (left to right) Abdul Wase M.D. (principal ivestigator), Marina Brown R.N., Ken Shneider, Thein Aung M.D., Matt Clark, Dawn Hunt and Kimberle Evans R.N., with a Tesla car at Good Samaritan Hospital Dayton, Ohio.  Image courtesy of Joe Carfora.

Research team (left to right) Abdul Wase M.D. (principal ivestigator), Marina Brown R.N., Ken Shneider, Thein Aung M.D., Matt Clark, Dawn Hunt and Kimberle Evans R.N., with a Tesla car at Good Samaritan Hospital Dayton, Ohio. 
Image courtesy of Joe Carfora.

News | November 25, 2017
November 25, 2017 — Sitting in, or standing close to the charging port of a Tesla electric vehicle did not trigger a
Studies find 15 percent of all heart attack and stroke patients and 9 percent of CABG patients were uninsured before passage of the Affordable Care Act. AHA 2017, #aha2017
News | November 25, 2017
November 25, 2017 — The majority of patients without health insurance who were hospitalized for heart attack, stroke
5 Tips for Medical Device Engineers on FDA Design Controls
Feature | Business| November 24, 2017 | Jon Speer
If you are an engineer in the medical device industry, you probably have a love/hate relationship with the FDA-mandat
Overlay Init