Implantable Cardiac Pacemakers by Abbott (formerly St. Jude Medical): Safety Communication

Pacemaker security flaw

Implantable Cardiac Pacemakers by Abbott (formerly St. Jude Medical): Safety Communication - Firmware Update to Address Cybersecurity Vulnerabilities

The U.S. Food and Drug Administration and Abbott on Tuesday said that patients with certain St. Jude pacemakers should check in with their doctors for firmware updates for the devices to prevent them from being hacked.

The update requires affected patients to have an in-person visit with their health care provider.

"As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a device operates", the FDA said in a safety communication Tuesday.

The devices must be given a firmware update to protect them against a set of critical vulnerabilities, first reported by MedSec, which could drain pacemaker battery life, allow attackers to change programmed settings, or even change the beats and rhythm of the device. Shortly thereafter, St. Jude Medical announced it would sue four entities and three individuals involved in making the allegations, the FDA launched an investigation, and the Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team commenced an analysis.

In January, Abbott issued a security update for other vulnerable St. Jude cardiac devices connected to the Merlin@home Transmitter.

Discuss the risks and benefits of the cybersecurity vulnerabilities and associated firmware update with your patients at the next regularly scheduled visit. "If deemed appropriate, install the firmware update following the instructions on the programmer", the FDA stated in its release. All devices made from August 28 will come with the updated firmware.

However, doctors have been advised by Abbott to update only if "appropriate given the risk of update for the patient".

There are now no known reports of patient harm for the 465,000 implanted devices in question, according to the FDA.

But as a precaution, Abbott says that pacing dependent patients should be given the update in a facility where temporary pacing and a pacemaker generator are on hand.

The patch comes eight months after Abbott released an update meant to fix a vulnerability with the device now providing pacemaker authorization, namely Merlin@home Transmitter.

"These are part of planned updates we mentioned back in January, and further strengthen the security and device management tools for our connected cardiac rhythm management (CRM) devices", Steele Flippin said of this week's pacemaker update.

Latest News