FDA Approves Update to Plug Abbott Cybersecurity, Battery Holes

A fix is now available for patients who have received flawed implantable devices produced by the medical device manufacturer Abbott, formerly known as St. Jude’s Medical.

The US FDA announced today that it had approved a firmware update designed to “reduce the risk of patient harm due to premature battery depletion and potential exploitation of cybersecurity vulnerabilities” in certain kinds of implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators made by Abbott.

The battery issue became known in October 2016, and cybersecurity weaknesses with specific Abbott pacemakers made headlines last year. Digital vulnerabilities, specifically, caused great concern among the healthcare-technology community, both for its novelty and unique hacking threat to patients who depend on the devices.

>> READ: Examining the Hacking Threat to Heart Implants

In its safety communication, the FDA said it had “confirmed that these vulnerabilities, if exploited, could allow an authorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment.” From there, a malicious hacker could “modify programing commands to the implanted defibrillator, which could result in patient harm from rapid battery depletion … or administration of inappropriate pacing or shocks.”

In other words, the cybersecurity gap was wide enough to allow a savvy attacker to physically hurt a person—possibly fatally. This issue has become a sort of nightmare scenario, inciting commentaries and grim conference sessions across healthcare. But the FDA acknowledged that it hasn’t come across any reports of injury stemming from the Abbott pacemaker problem.

Since learning of the exploit, the company developed a corrective action—the firmware update—for affected devices. The FDA, meanwhile, has approved the software upgrade “to ensure that it addresses these cybersecurity vulnerabilities and reduces the risk of exploitation and subsequent patient harm,” according to the safety communication.

Here’s how the update works: After the software is improved, any device that attempts to communicate with such an implantable device will require authorization. Patients who can’t install the update “due to technology limitations” stemming from the small number of older devices in circulation may disable the radio frequency that connects their implant, thanks to a new option developed by Abbott, a move that would kill any data sharing between their device and doctor, according to the FDA.

This isn’t the first time Abbott has updated software to patch vulnerabilities. In August 2017, the organization released a firmware update to quell cybersecurity concerns, its initial response to the troubling finding.

The most recent software fix also attempts to solve a battery depletion problem, which has put patients’ lives at risk, according to the FDA. Although the update doesn’t repair the battery, it lets patients and their physicians know if their particular device is deficient, according to the FDA. Abbott said this feature was already available, but the update brings it directly to the device.

These updates are part of a series that Abbott announced last year. More may follow, and patients will need to receive the updates in a doctor’s office.

“Technology and its security are always evolving, and this firmware upgrade is part of our commitment to ensuring our products include the latest advancements and protections for patients,” Abbott’s executive vice president for medical devices, Robert Ford, said in a statement.

The company noted that this is a “planned update,” and it has identified no new vulnerabilities and no instances of someone hacking a pacemaker or an implantable device. For more information on the affected models, click here.

Editor’s note: This story has been revised to clarify that the udpate does not affect pacemakers. We regret the error.

Get the best insights in healthcare analytics directly to your inbox.

Related

What Keeps Healthcare Cybersecurity Innovators Up at Night

FDA Approves First Smartphone-Ready Insertable Cardiac Monitor

4 Healthcare Cybersecurity Issues That Worry the Former Head of Homeland Security