News & Events

FDA in Brief: FDA issues safety communication on availability of firmware update to address cybersecurity vulnerabilities identified in Abbott’s (formerly St. Jude Medical’s) implantable cardiac pacemakers

Media Inquiries

  Angela Stark

"Cybersecurity risks in networked medical devices are constantly evolving, which means medical device manufacturers and hospitals must be vigilant in the face of changing threats in order to protect patient safety,” said William Maisel, acting director of the Office of Device Evaluation and chief scientist in the FDA’s Center for Devices and Radiological Health. “Today’s safety communication is part of the FDA’s ongoing work with Abbott to ensure they are properly addressing identified cybersecurity risks and adequately protecting their devices against potential future cybersecurity vulnerabilities. Because all networked medical devices are potentially vulnerable to cybersecurity threats, the FDA has been working diligently with device manufacturers and other stakeholders to ensure the benefits of medical devices to patients continue to outweigh any potential cybersecurity risks."

The FDA today issued a safety communication about the availability of a firmware update to address cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers. The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user to access a patient’s device using commercially available equipment. The FDA has approved St. Jude Medical’s firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm. The firmware update requires an in-person patient visit with a health care provider.

The FDA plays an important role in assuring safety of medical devices, and our regulatory abilities allow us to take appropriate actions to protect public health. The FDA has expanded the scope of its work in cybersecurity over the past several years. The agency’s actions have included carefully assessing cybersecurity controls before granting marketing authorization for medical devices, issuing guidance documents that outline how manufacturers should address cybersecurity concerns throughout a device’s total product lifecycle, and engaging directly with stakeholders across the health care, government and cybersecurity sectors to raise awareness of the urgency of and highlight best practices related to medical device cybersecurity as it pertains to public health. The agency will also continue to alert the public via safety communications or other public notifications as needed when cybersecurity vulnerabilities that have the potential to impact patient safety are identified in medical devices.

Managing cybersecurity risks in the public health sector takes input and effort from many stakeholders—the FDA cannot do this alone. This proactive, multi-stakeholder engagement is the cornerstone of the FDA’s approach to addressing cybersecurity in medical devices. Through this approach we continue to see improvements and ongoing progress in the management of medical device cybersecurity. There is much work to be done and the FDA is committed to working collaboratively to address the shared goal of protecting the public health.


Page Last Updated: 03/27/2018
Note: If you need help accessing information in different file formats, see Instructions for Downloading Viewers and Players.
Language Assistance Available: Español | 繁體中文 | Tiếng Việt | 한국어 | Tagalog | Русский | العربية | Kreyòl Ayisyen | Français | Polski | Português | Italiano | Deutsch | 日本語 | فارسی | English