Abbott releases firmware to fix cyber vulnerabilities in cardiac devices
Medical device manufacturer Abbott has released a firmware upgrade to fix cybersecurity vulnerabilities in certain radio frequency-enabled implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators.
The Food and Drug Administration approved the upgrade to Abbott’s implantable ICDs and CRT-Ds, which were originally manufactured by St. Jude Medical, which was bought by Abbott last year.
The FDA recommends that all eligible patients receive the firmware update, which requires an in-person patient visit with a healthcare provider, at their next regularly scheduled visit or when appropriate.
The regulatory agency reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities could enable an unauthorized user to access a patient’s device using commercially available equipment.
“Cybersecurity risks in networked medical devices are constantly evolving, which means medical device manufacturers and hospitals must be vigilant in the face of changing threats in order to protect patient safety,” said William Maisel, acting director of the Office of Device Evaluation and chief scientist in the FDA’s Center for Devices and Radiological Health. “Because all networked medical devices are potentially vulnerable to cybersecurity threats, the FDA has been working diligently with device manufacturers and other stakeholders to ensure the benefits of medical devices to patients continue to outweigh any potential cybersecurity risks.”
According to Abbott, there have been no reports of unauthorized access to any patient’s implanted device, and no new vulnerabilities have been identified. The company contends that the cybersecurity update provides an additional layer of security against unauthorized access to these devices, preventing anyone other than a patient’s physician from changing device settings.
“Technology and its security are always evolving, and this firmware upgrade is part of our commitment to ensuring our products include the latest advancements and protections for patients,” said Robert Ford, Abbott’s executive vice president for medical devices.
In addition to the cybersecurity update, the firmware upgrade includes an enhanced device-based battery performance alert to enable patients and physicians to better manage battery performance. The updates are part of a series of planned firmware releases that Abbott announced in 2017 for pacemakers, programmers, and remote monitoring systems and are now available for ICDs and CRT-Ds.
The cybersecurity update is for the following families of ICD and CRT-D devices: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra and Ellipse. The battery performance alert update is for the following high-voltage devices manufactured between January 2010 and May 2015: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura and Unify Quadra.