Abbott addresses pacemaker hacking fears
On August 23, 2017, the FDA approved a firmware update that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers. "Firmware" is a specific type of software embedded in the hardware of a medical device (e.g. a component in the pacemaker).
For the purposes of this safety communication, cybersecurity focuses on protecting patients' medical devices and their associated computers, networks, programs, and data from unintended or unauthorized access, change, or destruction.
The FDA recommends that patients and their health care providers discuss the risks and benefits of the cybersecurity vulnerabilities and the associated firmware update designed to address such vulnerabilities at their next regularly scheduled visit.
Summary of Problem and Scope
Many medical devices—including St. Jude Medical's implantable cardiac pacemakers—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.
The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.
There are no known reports of patient harm related to the cybersecurity vulnerabilities in the 465,000 (U.S.) implanted devices impacted.
To address these cybersecurity vulnerabilities and improve patient safety, St. Jude Medical has developed and validated this firmware update as a corrective action (recall) for all of their RF-enabled pacemaker devices, including cardiac resynchronization pacemakers. The FDA has approved St. Jude Medical's firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm.
After installing this update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The Merlin Programmer and Merlin@home Transmitter will provide such authorization.
The firmware update will be available beginning August 29, 2017. Pacemakers manufactured beginning August 28, 2017 will have this update pre-loaded in the device and will not need the update.
Firmware Update Details
The firmware update requires an in-person patient visit with a health care provider – it cannot be done from home via Merlin.net. The update process will take approximately 3 minutes to complete. During this time, the device will operate in backup mode (pacing at 67 beats per minute), and essential, life-sustaining features will remain available. At the completion of the update, the device will return to its pre-update settings.
As with any firmware update, there is a very low risk of an update malfunction. Based on St. Jude Medical's previous firmware update experience, installing the updated firmware could potentially result in the following malfunctions (including the rate of occurrence previously observed):
- reloading of previous firmware version due to incomplete update (0.161%),
- loss of currently programmed device settings (0.023%),
- loss of diagnostic data (none reported), or
- complete loss of device functionality (0.003%).
Recommendations for Health Care Providers:
- The FDA and Abbott do NOT recommend prophylactic removal and replacement of affected devices.
- Discuss the risks and benefits of the cybersecurity vulnerabilities and associated firmware update with your patients at the next regularly scheduled visit. As part of this discussion, it is important to consider each patient's circumstances, such as pacemaker dependence, age of the device, and patient preference, and provide them with Abbott's Patient Guide.
- Determine if the update is appropriate for the given patient based on the potential benefits and risks. If deemed appropriate, install the firmware update following the instructions on the programmer.
- For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided.
- Print or digitally store the programmed device settings and the diagnostic data in case of loss during the update.
- After the update, confirm that the device maintains its functionality, is not in backup mode, and that the programmed parameters have not changed.
The firmware update process is described in Abbott's Dear Doctor Letter issued on August 28, 2017.
The FDA will continue to assess new information concerning the cybersecurity of Abbott's implantable cardiac devices and the Merlin@home Transmitter, and will keep the public informed if the FDA's recommendations change.
The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery.
The FDA will continue its work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.
Reporting Problems to the FDA
Prompt reporting of adverse events can help the FDA identify and better understand the risks related to the use of medical devices. If you suspect or experience a problem with these devices, we encourage you to file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program. Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities.