The Food and Drug Administration is asking nearly 500,000 patients with Abbott-manufactured pacemakers to install a software patch to resolve cybersecurity vulnerabilities with the device discovered just over a year ago.
The FDA has approved a firmware update for the cardiac devices that requires an in-person visit with a healthcare provider, according to an alert from the agency. Without the firmware update, cybersecurity vulnerabilities within the device could allow unauthorized users to access the equipment, according to the FDA. To date, there have been no known reports of patient harm.
It marks the first time the FDA has issued a recall for cybersecurity concerns. The agency said there are 465,000 impacted devices in the U.S., but noted the update does not require prophylactic removal and replacement.
My quick math on potential defect rates of getting firmware update— ♘ Josh Corman (@joshcorman) August 29, 2017
see pic pic.twitter.com/DVBdHMZK0M
The network-enabled cardiac pacemakers, originally manufactured by St. Jude Medical, came under fire in August 2016 after the investment firm Muddy Waters Capital reported the devices had “little to no built-in security.” Those claims launched a testy legal battle between the investment firm and St. Jude Medical.
The FDA confirmed the vulnerabilities months later and issued a warning letter to Abbott in April after the pharmaceutical giant acquired St. Jude Medical. The letter instructed Abbott to resolve the cybersecurity concerns within the devices or face further penalties.
In Tuesday's announcement, William Maisel, acting director of the Office of Device Evaluation and chief scientist in the FDA’s Center for Devices and Radiological Health highlighted broader industry concerns about evolving networked medical devices that require manufacturers to “to be vigilant in the face of change threats.”
“Because all networked medical devices are potentially vulnerable to cybersecurity threats, the FDA has been working diligently with device manufacturers and other stakeholders to ensure the benefits of medical devices to patients continue to outweigh any potential cybersecurity risks,” he said in a release, calling for “multi-stakeholder engagement” in managing medical device cybersecurity risks.
In a statement on Tuesday, Abbott said compromising the security of the devices would “require a highly complex set of circumstances," but called for an industry-wide focus on cybersecurity within connected devices.
“All industries need to be constantly vigilant against unauthorized access,” said Robert Ford, Abbot’s executive vice president of medical devices. “This isn't a static process, which is why we're working with others in the healthcare sector to ensure we're proactively addressing common topics to further advance the security of devices and systems.”