April 17, 2018
- Patients with a radio frequency (RF)-enabled St. Jude Medical implantable cardioverter defibrillator (ICD) and cardiac resynchronization therapy defibrillator (CRT-D)
- Caregivers of patients with a St. Jude Medical ICD and CRT-D
- Cardiologists, electrophysiologists, cardiac surgeons, and primary care physicians treating patients with heart failure or heart rhythm problems using an RF-enabled St. Jude Medical ICD or CRT-D
Cardiac Electrophysiology, Cardiology, Cardiothoracic Surgery, Heart Failure
Abbott's (formerly St. Jude Medical) implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) are devices that provide pacing for slow heart rhythms, and electrical shock or pacing to stop dangerously fast heart rhythms.
ICDs and CRT-Ds are both implanted under the skin in the upper chest area with connecting insulated wires ("leads") that go into the heart. A patient may need an ICD or CRT-D if their heartbeat is too slow (bradycardia), too fast (tachycardia), or needs coordination to treat heart failure.
The devices addressed in this communication are the following Abbott ICD and CRT-D device families, including the specific devices identified in the October 10, 2016 Premature Battery Depletion Recall:
- Fortify Assura
- Quadra Assura
- Quadra Assura MP
- Unify Assura
- Unify Quadra
- Promote Quadra
This communication does NOT apply to any pacemakers or to cardiac resynchronization pacemakers (CRT-Ps).
On April 11, 2018, the FDA approved a firmware update that is now available and is intended as a corrective action (recall), to reduce the risk of patient harm due to premature battery depletion and potential exploitation of cybersecurity vulnerabilities for certain Abbott ICDs and CRT-Ds. "Firmware" is a specific type of software embedded in the hardware of a medical device (e.g. a component in the defibrillator).
The FDA recommends that all eligible patients receive the firmware update at their next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.
For the purposes of this safety communication, cybersecurity focuses on protecting patients' medical devices and their associated computers, networks, programs, and data from unintended or unauthorized threats.
Summary of Problem and Scope:
This firmware update includes mitigations to addresses two separate issues: 1) a device-based Battery Performance Alert to detect rapid battery depletion in devices subject to the Battery Advisory from October 2016; and 2) updates to address cybersecurity vulnerabilities across Abbott's radio frequency (RF) enabled ICDs and CRT-Ds.
Rapid Battery Depletion
Implanted ICDs and CRT-Ds are powered by lithium-based batteries. Deposits of lithium, known as "lithium clusters," can form within the battery and create abnormal electrical connections leading to rapid battery failure.
As communicated in the Battery Advisory from October 2016, Abbott has reported that in some cases, full battery drainage can occur as quickly as within a day to a few weeks. If the battery runs out, the ICD or CRT-D will be unable to deliver life-saving pacing or shocks, which could lead to patient death. The patients most at risk are those with a high likelihood of requiring life-saving shocks and those who are pacemaker dependent.
To address the rapid battery depletion, Abbott has developed a device-based Battery Performance Alert to detect and alert patients and clinicians if their device is affected. This Battery Performance Alert is similar to the Battery Performance Alert added to Merlin.net and the Merlin Programmer in August 2017. This new device-based alert will activate a vibratory alert if rapid battery depletion is detected, and is intended to provide advanced notice of device performance prior to the Elective Replacement Indicator (ERI) alert. In addition to notifying the patient that they should see their doctor as soon as possible, the alert will also be shown on the Merlin Programmer and transmitted to Merlin.net if the patient is enrolled in home monitoring.
Many medical devices—including Abbott's ICD and CRT-D devices—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.
The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with Abbott's RF-enabled ICDs and CRT-Ds, and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e.someone other than the patient's physician) to access a patient's device using commercially available equipment. This unauthorized user could then modify programming commands to the implanted defibrillator, which could result in patient harm from rapid battery depletion (unrelated to lithium clusters), or administration of inappropriate pacing or shocks.
To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities.
To address these cybersecurity vulnerabilities and improve patient safety, Abbott has developed and validated this firmware update as a corrective action (recall) for their RF-enabled defibrillators, including CRT-Ds. The FDA has approved Abbott's firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm.
After installing this update, any device attempting to communicate with the implanted defibrillator must provide authorization to do so. The Merlin Programmer and Merlin@home Transmitter will provide such authorization.
For patients with Current or Promote devices that cannot accept the firmware update due to technology limitations, Abbott has implemented an option in the Merlin Programmer to permanently disable RF for patients concerned with the cybersecurity of their device. However, disabling RF will prevent data from a patient's device from being transmitted to his or her doctor's office using the RF Merlin@home Transmitter. For patients enrolled in home monitoring, FDA recommends keeping RF enabled.
Additionally, a software patch was implemented in January 2017 to address cybersecurity vulnerabilities associated with the Merlin@home Transmitter. The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.
Firmware Update Details:
The firmware update requires an in-person patient visit with a health care provider–it cannot be done from home via Merlin.net. The update process will take approximately three minutes to complete. During this time, the device will operate in "backup VVI mode" (pacing at 67 beats per minute), and high voltage therapy will automatically be disabled. At the onset of the update process, there may be a pause of one to three seconds with no pacing during this brief period. At the completion of the update, the device will return to its pre-update settings with therapies on.
As with any firmware update, there is a very low risk of an update malfunction. Based on Abbott's previous firmware update experience from the August 2017 pacemaker firmware release and the similarities in the update process, installing the updated firmware on the ICDs and CRT-Ds could potentially result in the following malfunctions:
- discomfort due to backup VVI pacing settings;
- reloading of the previous firmware version due to an incomplete update;
- inability to treat ventricular tachycardia/fibrillation while in back-up mode as high voltage therapy is disabled;
- device remaining in back-up mode due to an unsuccessful update, and;
- loss of currently programmed device settings or diagnostic data.
The August 2017 firmware update to Abbott pacemaker devices has had no reports of serious adverse events to date. For those devices, approximately 0.62% of devices experienced an incomplete update and remained in the back-up pacing mode. However, in each case, the devices were restored to the prior firmware version or received the update successfully after Technical Services was contacted and intervened. A programmer update has been implemented to reduce the frequency of these minor update issues. Additionally, a small percentage (0.14%) of patients complained of diaphragmatic or pocket stimulation, or general discomfort for the time that the device was in the back-up pacing mode. However, there have been no cases reported to Abbott where the device remained in back-up mode following an attempted firmware update.
The firmware update will be available beginning April 17, 2018 as part of a phased deployment plan. Defibrillators manufactured beginning April 25, 2018 will have this update pre-loaded in the device and will not need the update.
Recommendations for Health Care Providers:
- Prophylactic removal and replacement of affected devices is NOT recommended.
- This firmware update is recommended for all eligible patients. Discuss the benefits and risks of the associated firmware update with your patients at the next regularly scheduled visit or when appropiate depending on the preferences of the patient and physician. As part of this discussion, it is important to consider each patient's circumstances, such as pacemaker dependence, frequency of high voltage therapy, age of the device and patient preference, and provide patients with Abbott's Patient Communication.
- For Battery Advisory Patients: inform them that the Battery Performance Alert will trigger a vibratory alert if rapid battery depletion is detected, and that they should immediately schedule an appointment for device explant and replacement.
- For Battery Advisory Patients in the absence of a Battery Performance Alert being triggered either in a patient's device, through Merlin.net, or the Merlin programmer: follow the original patient management recommendations from the 2016 Premature Battery Depletion advisory.
- Print or digitally store the programmed device settings and the diagnostic data in case of loss during the update.
- Perform the update with appropriate monitoring and external defibrillation equipment available.
- After the update, confirm that the device maintains its functionality, is not in backup mode, and that the programmed parameters have not changed.
- Contact your Abbott representative, or Abbott's customer technical support hotline at 1‐800‐436‐5056 if you have any questions about the firmware update.
The firmware update process is also described in Abbott's Dear Doctor Letter issued on April 16, 2018.
For patients with Current or Promote devices:
The firmware update is not available due to technical limitations. These devices were not affected by the battery advisory and therefore do not need the Battery Performance Alert. Regarding the cybersecurity vulnerabilities, patients and clinicians should discuss them and the benefits and risks associated with permanently disabling RF communication. For most patients, FDA and Abbott do not recommend permanently disabling RF communication for patients enrolled in home monitoring due to the proven benefits of home monitoring for patient care.
Recommendations for Patients and Caregivers:
- Consult your physician(s) to determinine when you should receive the firmware update and if you have any questions or concerns about the update. Your ongoing medical management should be based on your own medical history and clinical condition.
- If you receive the update and your device is affected by the Battery Advisory, contact your physician immediately if your vibratory alert is triggered to check that the alert is due to premature battery depletion. If it is, you will need to schedule a device removal and replacement procedure.
- Visit www.sjm.com/notices, or contact Abbott's hotline at 1-800-436-5056 for additional information, or if you have any questions or issues regarding your St. Jude Medical implantable cardiac defibrillator.
The FDA will continue its work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.
The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery.
Reporting Problems to the FDA:
Prompt reporting of adverse events can help the FDA identify and better understand the risks related to the use of medical devices. If you suspect or experience a problem with these devices, we encourage you to file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program. Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities.
- Abbott Press Release (April 17, 2018)
- Abbott Patient Communication (April 17, 2018)
- Abbott Web Communication (April 17, 2018)
- Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication (August 29, 2017)
- Abbott Patient Communication (August 29, 2017)
- Abbott Physician Communication (August 29, 2017)
- Department of Homeland Security ICS-CERT Advisory (August 29, 2017)
- Abbott (St Jude Medical Inc.) Warning Letter (April 12, 2017)
- St. Jude Medical Press Release: St. Jude Medical Announces Cybersecurity Updates (January 9, 2017)
- Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication (January 9, 2017)
- Postmarket Management of Cybersecurity in Medical Devices Final Guidance (December 28, 2016)
- Premature Battery Depletion of St. Jude Medical ICD and CRT-D Devices: FDA Safety Communication (October 11, 2016)
- St. Jude Medical – Premature Battery Depletion Information (October 11, 2016)
- St. Jude webpage for webpage where patients could see which devices were affected: www.sjm.com/batteryadvisory
If you have questions about this communication, please contact the Division of Industry and Consumer Education (DICE) at DICE@FDA.HHS.GOV, 800-638-2041 or 301-796-7100.