Abbott Labs rolls out patch for St. Jude-made pacemakers

Tammy Harvey
August 31, 2017

All devices made from August 28 will come with the updated firmware.

"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with [Abbott's radiofrequency-enabled] cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized access a patient's device using commercially available equipment", the agency wrote. The firmware update is meant to fix a cybersecurity weakness that allowed hackers to affect the battery life and pacing of 465,000 devices implanted in patients in the U.S.

While the Muddy Waters/MedSec report highlighted important cybersecurity issues concerning the St. Jude medical devices, the controversial manner in which the research was released - by an investment company - and its financial arrangement with "ethical hacker" MedSec, which found the vulnerabilities, drew criticism from the healthcare industry. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.

The Food & Drug Administration released a recommendation for patients to visit their healthcare providers to discuss vulnerability and updates. Abbott described the full update process in a Dear Doctor letter issued August 28, according to a safety update issued by the FDA.

The St. Jude Medical pacemaker flaws that an investor relied on to short the company's stock has a new patch to address the issue.

In approving the firmware, the FDA notes the upgrade means patients won't need new devices replacement.

The company also says the risks of performing the update are low based on its previous experience with firmware updates.

Unfortunately, installing the firmware update can result in a failure to update altogether, the loss of programmed settings, the loss of diagnostic data, as well as a very small risk - 0.003 percent - of complete functionality loss.

But as a precaution, Abbott says that pacing dependent patients should be given the update in a facility where temporary pacing and a pacemaker generator are on hand.

The FDA stressed this update can not be done from home.

"These are part of planned updates we mentioned back in January, and further strengthen the security and device management tools for our connected cardiac rhythm management (CRM) devices", Steele Flippin said of this week's pacemaker update.

Other reports by Ligue1talk

Discuss This Article