Device manufacturer Abbott has released another cardiac device firmware update, its second and final one in a planned series of updates that began last year.
The latest firmware update, approved by the Food and Drug Administration (FDA) last week, is for Abbott’s implantable cardioverter defibrillators (ICD) and implantable cardiac resynchronization therapy defibrillators (CRT-D), formerly manufactured by St. Jude Medical. In a recall notice, the FDA said the firmware is “intended … to reduce the risk of patient harm due to premature battery depletion and potential exploitation of cybersecurity vulnerabilities for certain Abbott ICDs and CRT-Ds.”
Approximately 350,000 devices in the U.S. are affected by the cybersecurity recall. The vulnerabilities, initially made public by an investment firm in 2016 and confirmed by the FDA last year, could allow an unauthorized user to access a device and modify programming commands, “which could result in patient harm from rapid battery depletion … or administration of inappropriate pacing or shocks,” according to the FDA.
Abbott spokesperson Kelly Morrison emphasized that the firmware update was not in response to any new cybersecurity vulnerabilities but a continuation of last year’s updates involving pacemakers. There have been no reports of unauthorized access with any of the devices, she added.
"Technology and its security are always evolving, and this firmware upgrade is part of our commitment to ensuring our products include the latest advancements and protections for patients," Robert Ford, executive vice president for medical devices at Abbott, said in a statement.
The FDA noted that the August 2017 firmware update for Abbott pacemakers included no reports of serious adverse events. Approximately 0.62% of devices experienced an incomplete update but were successfully updated following technical support.
The final update ends a long process in which the FDA intervened in a security update brought to light by an investment firm. Abbott bought St. Jude’s Medical in January 2017 and was warned months later that it had 15 days to fix the cybersecurity risks.
The update was also issued the same day the FDA announced plans to create a medical device cybersecurity “go-team” to assist with the growing threat of vulnerabilities among legacy devices.