FDA green-lights firmware update to address cybersecurity concerns for pacemakers

Randall Padilla
August 31, 2017

Abbott spokesman Jonathon Hamilton said in a statement Wednesday that Abbott is "resolving all old St. Jude medical issues".

Abbott says that new pacemakers made as of 28 August will come pre-patched with the update, and both the company and FDA say that already-implanted devices should not be physically replaced due to cybersecurity concerns.

The FDA has reviewed information that suggests hackers could use commercially-available equipment to gain access to a patient's device. The risks, which include reloading previous firmware due to an incomplete installation, loss of now programmed settings and loss of device functionality all occur at rates well below 1%.

Now, 465,000 people in the USA with these implanted devices must visit their healthcare provider to receive a firmware update that can fix the vulnerabilities. 465,000 implanted pacemakers are now eligible for the new software updates.

According to Abbott, the update itself should take around three minutes, during which the devices will operate on a backup mode that keeps pacing at 67 beats per minute.

The agency says the firmware update requires an in-person visit with a healthcare provider; the devices can not be updated from home.

Patients' devices will be updated with the new battery alert automatically.

"Determine if the update is appropriate for the given patient based on the potential benefits and risks", the FDA instructs.

Doctors will now get a warning should batteries run to dangerously low levels thanks to the new software updates.

Unfortunately, installing the firmware update can result in a failure to update altogether, the loss of programmed settings, the loss of diagnostic data, as well as a very small risk - 0.003 percent - of complete functionality loss.

St. Jude released a first round of security updates in January after working with the FDA and the DHS's ICS-CERT to resolve the issues originally reported by short-seller Muddy Waters Capital and security firm MedSec.

For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided.

Abbott says it will continue to make updates and product enhancements across its devices as part of the company's "ongoing commitment to provide safe, effective and secure products" for patients.

"Connected devices are having a significant positive impact for patients and their health", said Robert Ford, executive vice president of Medical Devices at Abbott.

Other reports by AllAboutTopnews

Discuss This Article

FOLLOW OUR NEWSPAPER