Abbott. St. Jude Medical has updated its firmware to address cybersecurity issues with its Allure Quadra MP and other EP devices.
August 29, 2017 — The U.S. Food and Drug Administration (FDA) approved a firmware update that is now available to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities involving certain Abbott (formerly St. Jude Medical) pacemakers and defibrillators. This updated software is intended to address a recall of these devices and an FDA corrective action involving these devices.
The firmware update will be available beginning Aug. 29, 2017. Pacemakers manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device. The firmware update requires an in-person patient visit with a healthcare provider; it cannot be done from home via the Merlin.net patient monitoring device. The update process will take approximately three minutes to complete. The firmware update process is described in Abbott's Dear Doctor Letter issued on Aug. 28, 2017.
“As we’ve said previously, Abbott is resolving all old St. Jude Medical issues.” said Jonathon Hamilton, Abbott public affairs. “These planned updates further strengthen the security and device management tools for our connected cardiac rhythm management devices.”
The new device updates include a battery performance alert for the company’s implantable cardioverter defibrillators (ICDs) that provides physicians with earlier warning of the potential for the low risk of premature battery depletion. They also include a planned update to pacemaker firmware to add additional security protections designed to reduce the risk of unauthorized access to patients' pacemakers.
"Connected devices are having a significant positive impact for patients and their health," said Robert Ford, executive vice president, medical devices, Abbott. "To further protect our patients, Abbott has developed new firmware with additional security measures that can be installed on our pacemakers."
There have been no reports of unauthorized access to any patient's implanted device, according to an advisory issued by the U.S. Department of Homeland Security. Abbott said compromising the security of these devices would require a highly complex set of circumstances. The FDA said it reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.
Abbott said it is communicating with regulatory authorities worldwide to implement the new updates to the implantable devices. Abbott's recommendation, and that of its Cyber Security Medical Advisory Board, is that a patient have a conversation with their physician to determine if the update is right for them. Abbott will continue to make updates and product enhancements across its devices as part of the company's ongoing commitment to provide safe, effective and secure products for patients.
The FDA said many medical devices — including St. Jude Medical's implantable cardiac pacemakers — contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.
"All industries need to be constantly vigilant against unauthorized access," continued Ford. "This isn't a static process, which is why we're working with others in the healthcare sector to ensure we're proactively addressing common topics to further advance the security of devices and systems."
Read an overview of medical device cybersecurity and the issues with Abbott's devices leading up to this firmware update in the article Raising the Bar for Medical Device Cyber Security.
No Reason to Explant SJM Pacemakers
The FDA and Abbott do not recommend prophylactic removal and replacement of affected devices.
The FDA recommends doctors discussing the risks and benefits of the cybersecurity vulnerabilities and associated firmware update with patients at the next regularly scheduled visit. As part of this discussion, the FDA said it is important to consider each patient's circumstances, such as pacemaker dependence, age of the device, and patient preference and provide them with Abbott's Patient Communication.
The agency said physicians should determine if the update is appropriate for the given patient based on the potential benefits and risks. If deemed appropriate, install the firmware update following the instructions on the programmer. For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided. Also, providers should print or digitally store the programmed device settings and the diagnostic data in case of loss during the update. After the update, confirm that the device maintains its functionality, is not in backup mode and that the programmed parameters have not changed.
Abbott Addresses ICD Battery Performance Problems
In October 2016, Abbott notified physicians and patients that a subset of ICD and cardiac resynchronization therapy defibrillator (CRT-D) devices manufactured between January 2010 and May 2015 could potentially experience premature battery depletion due to short circuits from lithium clusters.
The potential for premature battery depletion in the affected devices is low. The new battery performance alert can be used as a tool to further assist in identifying the potential for these devices to experience premature battery depletion.
More detailed information on the battery performance alert algorithm testing methods and performance can be found on the website www.sjm.com/batteryupdate.
Updated Pacemaker Firmware Addresses Cybersecurity Concerns
Abbott said the new pacemaker firmware update is part of Abbott's planned enhancements that began with updates announced in January 2017 to the Merlin@home v8.2.2 software. The new updates provide an additional layer of security against unauthorized access to these devices. The update contains a software release that includes data encryption, operating system patches and the ability to disable network connectively features, in addition to the firmware update.
The pacemaker devices to which this update applies include the RF telemetry versions of the following devices in the U.S.: Accent SR RF, Accent MRI, Assurity, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF and Quadra Allure MP RF.
This update will be released outside the U.S. following local regulatory approvals. Outside of the U.S., the pacemaker devices to which this update applies include the RF telemetry versions of the following devices: Accent SR RF, Accent ST, Accent MRI, Accent ST MRI, Assurity, Assurity+, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF, Quadra Allure MP RF, Quadra Allure and Quadra Allure MP.
Every pacemaker manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device and those devices will not need to be updated. Based on Abbott's consultation with the FDA, this update is being treated as a field action. However, Abbott and the FDA have both said the devices should continue to function as intended and replacement of implanted pacemaker devices is not recommended.
Abbott said it is communicating with the FDA, the U.S. Department of Homeland Security and global regulators, and works with leading independent security experts, to strengthen protections against unauthorized access to its devices.
In part due to the cybersecurity issues of St. Jude Medical's electrophysiology (EP) devices revealed last year, the FDA has announced it plans to regulate medical device cyber security in the future. Read the article FDA Seeks Management of Cybersecurity in Medical Devices.
Where to Find Information on the Abbott/St. Jude Medical Cybersecerity Updates
For more information about the pacemaker firmware update, please contact the dedicated hotline at (800) 722-3774 (U.S.). Abbott created has additional resources available to address questions from physicians and patients about these updates at www.sjm.com/cyberupdate and www.sjm.com/batteryupdate.
DAIC has created a cybersecurity channel that will include related news as it becomes available.
For more information: www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm573854.htm
Here is a list of aggregated DAIC content about cybersecurity relating to cardiology — “The State of Healthcare Cyber Security.”