Abbott pacemakers dealing with cyber security issues

The US Food and Drug Administration (FDA) has confirmed that 465,000 pacemakers, manufactured by global healthcare company Abbott Laboratories, have cyber security issues. A further 280,000 devices elsewhere are also affected, the company said.

The cyber security flaws could theoretically be used to cause the devices to pace too quickly or run down their batteries, according to a media report.

However, Abbott said it was not aware of any cases of this happening, adding that it would require a “highly complex set of circumstances”.

The Department of Homeland Security has said that an attacker would need “high skill” to exploit the vulnerabilities, one report added.

In August, the FDA approved a firmware update that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cyber security vulnerabilities for certain Abbott, formerly St Jude Medical Inc, pacemakers.

Pacemakers manufactured since Aug 28, 2017, will have this update pre-loaded in the device and will not need the latest update, the FDA statement said.

The FDA said it has reviewed information concerning potential cyber security vulnerabilities associated with
St Jude Medical’s radio frequency-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorised user (ie someone other than the patient’s physician) to access a patient’s device using commercially equipment.

“This access could be used to modify programming commands
to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the statement added.

It noted that many medical devices, including St Jude Medical’s implantable cardiac pacemakers, contain configurable embedded computer systems that can be vulnerable to cyber security intrusions and exploits.

As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cyber security vulnerabilities, some of which could affect how a medical device operates, it added.

In its recomnendation, the FDA said the firmware update requires an in-person patient visit with a healthcare provider, and that it cannot be done from home.

Patients are being advised to ask their doctors about an available firmware update at their next scheduled appointment, it said.

In February, Abbott had announced that the FDA approved magnetic resonance-conditional labelling for its Assurity MRI (magnetic resonance imaging) pacemaker, touted by the company as the “world’s smallest and longest-lasting” MRI-compatible wireless pacemaker.

The US launch for the Assurity MRI and the Tendril MRI pacing lead is expected to jump-start the St Jude Medical’s — now owned by Abbott — cardiac rhythm management business, which has been “challenging” in recent quarters.

The Assurity MRI pacemaker received the “CE Mark” approval in May 2015, and the FDA approval was expected to follow shortly after, but experienced some delays, according to the Star Tribune. The subsequent launch of similar MRI-compatible pacemakers by competitors Boston Scientific Corp and Medtronic plc undercut St Jude Medical’s bottomline in its cardiac rhythm segment.

In St Jude Medical’s last quarterly earnings call before acquisition by Abbott, CEO Michael Rousseau commented that the cardiac rhythm business was “challenged” by portfolio gaps, but these were expected to resolve once the FDA approval came through in early 2017. Abbott’s US$25 billion (RM106 billion) acquisition of St Jude Medical was finalised in February.