Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication
August 29, 2017
- Patients with a radio frequency (RF)-enabled St. Jude Medical implantable pacemaker
- Caregivers of patients with an RF-enabled St. Jude Medical implantable cardiac pacemaker
- Cardiologists, electrophysiologists, cardiothoracic surgeons, and primary care physicians treating patients with heart failure or heart rhythm problems using an RF-enabled St. Jude Medical implantable cardiac pacemaker
Cardiac Electrophysiology, Cardiology, Cardiothoracic Surgery, Heart Failure
Abbott's (formerly St. Jude Medical's) implantable cardiac pacemakers, including cardiac resynchronization therapy pacemaker (CRT-P) devices, provide pacing for slow or irregular heart rhythms. These devices are implanted under the skin in the upper chest area and have connecting insulated wires called "leads" that go into the heart. A patient may need an implantable cardiac pacemaker if their heartbeat is too slow (bradycardia) or needs resynchronization to treat heart failure.
The devices addressed in this communication are the following St. Jude Medical pacemaker and CRT-P devices:
- Accent MRI
- Accent ST
This communication does NOT apply to any implantable cardiac defibrillators (ICDs) or to cardiac resynchronization ICDs (CRT-Ds).
On August 23, 2017, the FDA approved a firmware update that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers. "Firmware" is a specific type of software embedded in the hardware of a medical device (e.g. a component in the pacemaker).
For the purposes of this safety communication, cybersecurity focuses on protecting patients' medical devices and their associated computers, networks, programs, and data from unintended or unauthorized access, change, or destruction.
The FDA recommends that patients and their health care providers discuss the risks and benefits of the cybersecurity vulnerabilities and the associated firmware update designed to address such vulnerabilities at their next regularly scheduled visit.
Summary of Problem and Scope
Many medical devices - including St. Jude Medical's implantable cardiac pacemakers - contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.
The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.
There are no known reports of patient harm related to the cybersecurity vulnerabilities in the 465,000 (US) implanted devices impacted.
To address these cybersecurity vulnerabilities and improve patient safety, St. Jude Medical has developed and validated this firmware update as a corrective action (recall) for all of their RF-enabled pacemaker devices, including cardiac resynchronization pacemakers. The FDA has approved St. Jude Medical's firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm.
After installing this update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The Merlin Programmer and Merlin@home Transmitter will provide such authorization.
The firmware update will be available beginning August 29, 2017. Pacemakers manufactured beginning August 28, 2017 will have this update pre-loaded in the device and will not need the update.
Firmware Update Details
The firmware update requires an in-person patient visit with a health care provider – it cannot be done from home via Merlin.net. The update process will take approximately 3 minutes to complete. During this time, the device will operate in backup mode (pacing at 67 beats per minute), and essential, life-sustaining features will remain available. At the completion of the update, the device will return to its pre-update settings.
As with any firmware update, there is a very low risk of an update malfunction. Based on St. Jude Medical's previous firmware update experience, installing the updated firmware could potentially result in the following malfunctions (including the rate of occurrence previously observed):
- reloading of previous firmware version due to incomplete update (0.161 percent),
- loss of currently programmed device settings (0.023 percent),
- loss of diagnostic data (none reported), or
- complete loss of device functionality (0.003 percent).
Recommendations for Health Care Providers:
- The FDA and Abbott do NOT recommend prophylactic removal and replacement of affected devices.
- Discuss the risks and benefits of the cybersecurity vulnerabilities and associated firmware update with your patients at the next regularly scheduled visit. As part of this discussion, it is important to consider each patient's circumstances, such as pacemaker dependence, age of the device, and patient preference, and provide them with Abbott's Patient Guide.
- Determine if the update is appropriate for the given patient based on the potential benefits and risks. If deemed appropriate, install the firmware update following the instructions on the programmer.
- For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided.
- Print or digitally store the programmed device settings and the diagnostic data in case of loss during the update.
- After the update, confirm that the device maintains its functionality, is not in backup mode, and that the programmed parameters have not changed.
The firmware update process is described in Abbott's Dear Doctor Letter issued on August 28, 2017.
Contact your Abbott representative, or Abbott's customer technical support hotline at 1‐800‐722‐3774 if you have any questions about the firmware update.
Recommendations for Patients and Caregivers
- Consult with your physician(s) for determining when you should receive the update and if you have any questions or concerns about the vulnerabilities or the update. Your ongoing medical management should be based on your own medical history and clinical condition.
- Visit www.sjm.com/cyberupdate, or contact Abbott's hotline at 1-800-722-3774 for additional information, or if you have any questions or issues regarding your St. Jude Medical implantable cardiac pacemaker.
The FDA will continue to assess new information concerning the cybersecurity of Abbott's implantable cardiac devices and the Merlin@home Transmitter, and will keep the public informed if the FDA's recommendations change.
The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery.
The FDA will continue its work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.
Reporting Problems to the FDA
Prompt reporting of adverse events can help the FDA identify and better understand the risks related to the use of medical devices. If you suspect or experience a problem with these devices, we encourage you to file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program. Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities.
- Abbott Press Release
- Abbott Patient Communication
- Abbott Physician Communication
- Department of Homeland Security ICS-CERT Advisory
- Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication (January 9, 2017)
- Postmarket Management of Cybersecurity in Medical Devices Final Guidance (12/28/16)
If you have questions about this communication, please contact the Division of Industry and Consumer Education (DICE) at DICE@FDA.HHS.GOV, 800-638-2041 or 301-796-7100.