MedWatch - The FDA Safety Information and Adverse Event Reporting Program
Implantable Cardiac Pacemakers by Abbott (formerly St. Jude Medical): Safety Communication - Firmware Update to Address Cybersecurity Vulnerabilities
AUDIENCE: Cardiology, Surgery, Family Practice, Patient
ISSUE: On August 23, 2017, the FDA approved a firmware update that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers. The firmware update will be available beginning August 29, 2017. Pacemakers manufactured beginning August 28, 2017 will have this update pre-loaded in the device and will not need the update.
The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.
BACKGROUND: Many medical devices - including St. Jude Medical's implantable cardiac pacemakers - contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.
RECOMMENDATIONS: The firmware update requires an in-person patient visit with a health care provider – it cannot be done from home via Merlin.net. The update process will take approximately 3 minutes to complete. The firmware update process is described in Abbott's Dear Doctor Letter issued on August 28, 2017.
- The FDA and Abbott do NOT recommend prophylactic removal and replacement of affected devices.
- Discuss the risks and benefits of the cybersecurity vulnerabilities and associated firmware update with your patients at the next regularly scheduled visit. As part of this discussion, it is important to consider each patient's circumstances, such as pacemaker dependence, age of the device, and patient preference, and provide them with Abbott's Patient Communication.
- Determine if the update is appropriate for the given patient based on the potential benefits and risks. If deemed appropriate, install the firmware update following the instructions on the programmer.
- For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided.
- Print or digitally store the programmed device settings and the diagnostic data in case of loss during the update.
- After the update, confirm that the device maintains its functionality, is not in backup mode, and that the programmed parameters have not changed.
The firmware update process is described in Abbott's Dear Doctor Letter issued on August 28, 2017.
Contact your Abbott representative, or Abbott's customer technical support hotline at 1‐800‐722‐3774 if you have any questions about the firmware update.
Healthcare professionals and patients are encouraged to report adverse events or side effects related to the use of these products to the FDA's MedWatch Safety Information and Adverse Event Reporting Program:
- Complete and submit the report Online: www.fda.gov/MedWatch/report
- Download form or call 1-800-332-1088 to request a reporting form, then complete and return to the address on the pre-addressed form, or submit by fax to 1-800-FDA-0178
Read the MedWatch safety alert at: