The FDA warned Abbott that it needs to fix the cybersecurity concerns associated with its cardiac devices or face further penalties.
Those penalties could come at the expense of any Abbott devices that are in the FDA approval pipeline.
In a letter issued this week to Mike Rousseau, president of Abbott’s cardiovascular and neuromodulation division, the FDA said the manufacturer failed to adequately address the cybersecurity concerns associated with its Merlin@home cardiac device, originally manufactured by St. Jude Medical.
Abbott acquired St. Jude Medical in January, but during an inspection in the following month, the FDA determined that Abbott had not implemented all of the corrective actions designed to mitigate cybersecurity risks and failed to confirm that any changes adversely impacted the device.
The FDA gave Abbott 15 business days to resolve the corrective actions and explain how it plans to prevent future violations.
RELATED: Medical devices are the next big target for hackers
“Failure to promptly correct these violations may result in regulatory action being initiated by the FDA without further notice,” the warning letter stated. "These actions include, but are not limited to, seizure, injunction, and civil money penalties. Also, federal agencies may be advised of the issuance of Warning Letters about devices so that they may take this information into account when considering the award of contracts.”
Rick Wise, an investment analyst with Stifel, told the Chicago Tribune that the cybersecurity concerns could be a “lingering problem” for the company, but said they are fixable “given Abbott’s considerable manufacturing expertise.”
An Abbott spokesperson told the newspaper the company “will closely review the FDA’s warning letter” as it continues to address the corrective actions.
RELATED: HIMSS 2017—FDA debunks 4 medical device cybersecurity myths
The warning letter is the latest hiccup in the cybersecurity saga that dates back to August, when a security research firm revealed St. Jude Medical cardiac devices had “little to no built-in security.” Researchers questioned that report, and St. Jude filed a lawsuit against its accusers.
The public debacle prompted Johnson & Johnson to reveal concerns about hacking risks tied to its insulin pumps, and prompted the FDA to urge device manufacturers to work with the federal agency to resolve cybersecurity issues.