The FDA’s decision to recall 465,000 pacemakers in August due to cybersecurity vulnerabilities offers some important lessons for the regulator and the industry that is likely to face similar medical device recalls in the future.
The FDA announced a firmware update for Abbott-manufactured cardiac devices in August after cybersecurity weakness were discovered by the investment firm Muddy Waters Capital a year earlier, prior to Abbot’s purchase of St. Jude’s Medical. The FDA defined the recall as a “corrective action” and recommended patients visit their physician to update the device in a medical office.
As cardiologist Daniel Kramer at Beth Israel Deaconess Medical Center and Kevin Fu, an engineer at the University of Michigan pointed out in a JAMA Viewpoint, patients were asked to update the firmware in a doctor’s office because of the risks associated with upgrade—including a small risk of unpredictable device reset or failure.
But since this is the first device-related recall the FDA has encountered, the agency's approach provides an opportunity to improve cybersecurity-related recalls moving forward, the experts noted, including:
- Additional clarity from the FDA about whether the vulnerability was an industrywide concern.
- A formal publicly-disclosed pilot to collect clinical data and user feedback and quantify adverse event rates and logistical concern as providers initiated the upgrade.
- More consistent terminology—FDA classified the upgrade as a recall, but Abbott’s safety notice to physicians did not.
“The experience with this pacemaker advisory should serve as a reminder to the broader clinical community that an entirely new class of potential medical device malfunction is likely to become increasingly common,” the authors wrote.
Lawmakers and industry leaders have both weighed in on the growing cybersecurity risk associated with medical devices. Separate bills introduced in House and the Senate have outlined different approaches ranging from mandated testing for manufacturers to an FDA-led workgroup to build voluntary guidelines.
Meanwhile, Robert Ford, Abbot’s executive vice president of medical devices, has advocated for industry-developed cybersecurity standards that offer manufacturer's room to innovate while ensuring basic protections.