Abbott Extends Cybersecurity Patch to Implantable Defibrillators
Posted 18 April 2018 | By
Abbott has extended the release of a firmware upgrade—applied to 465,000 of its pacemakers last year to patch cybersecurity vulnerabilities—to 11 of its implantable defibrillator device families as part of its phased corrective action plan.
According to the US Food and Drug Administration (FDA), the firmware update announced Tuesday
was approved 11 April
for the implantable cardioverter defibrillators (ICDs) as well as the cardiac resynchronization therapy defibrillators (CRT-Ds). The update also addresses the detection of rapid battery depletion via a new battery performance alert.
The pacemakers—which were involved in the first-ever FDA recall over cybersecurity risk
, following the vulnerabilities that could allow hackers to remotely access patients’ Merlin@home transmitters as revealed in research reports from Muddy Watters and MedSec Holdings. The defibrillators were previously sold by St. Jude Medical, prior to the closing of Abbott’s acquisition of the company in January 2016.
Exploitation of the cybersecurity vulnerabilities identified in the research reports could lead to alterations of pacing commands or premature battery depletion.
FDA confirmed the findings and Abbott said devices with embedded firmware, including pacemakers, ICDs and CRT-Ds “may require updates from time to time, as technology and security for connected devices and systems continue to advance.
“The cybersecurity update provides an additional layer of security against unauthorized access to these devices, to prevent anyone other than a person’s physician from changing the device settings,” whereas the release of the battery alert “will allow the device to monitor for abnormal batter behavior and automatically vibrate to alert the patient if abnormal battery behavior is detected,” the company added.
As was the case with the pacemakers, the new updates require in-person visits for installation, which may cause certain malfunctions, such as an inability for the defibrillator devices to provide pacing or electrical shock therapies while in back-up mode.
However, the update will be pre-loaded in all Abbott ICDs and CRT-Ds manufactured after 25 April 2018.
Meanwhile, the FDA also announced Tuesday a new action plan to improve device safety
, including cybersecurity.
To “keep pace with emerging threats and vulnerabilities,” the agency is considering new authority for additional industry requirements, such as building capabilities for patching security flaws into device designs and the inclusion of a “Software Bill of Materials” as part of premarket submissions.
FDA is also exploring the development of a “go-team”—a public-private partnership called CyberMed Safety Analysis Board that would be charged with assessing cyber-vulnerabilities and proposed mitigations, among other responsibilities.
Further, the agency will update the 2014 premarket guidance on the content of premarket submissions for the management of cybersecurity.
“There is room for further iteration, further refinement and understanding” of the guidance on what FDA is looking to see “by way of analysis, risk assessments, design, documentation and how to organize all of this,” FDA’s Suzanne Schwartz, associate director for science and strategic partnerships, said at an Association for the Advancement of Medical Instrumentation conference