Welcome to our new website! If this is the first time you are logging in on the new site, you will need to reset your password. Please contact us at raps@raps.org if you need assistance.
Your membership opens the door to free learning resources on demand. Check out the Member Knowledge Center for free webcasts, publications and online courses.
Hear from leaders around the globe as they share insights about their experiences and lessons learned throughout their certification journey.
The RAPS store will be under maintenance 15 January 2022 from 5 AM to 1 PM EST. Store functionality may be unavailable during this window. We apologize for any inconvenience caused during this time.
Posted 08 December 2017 | By Michael Mezher
In a paper in JAMA this week, two experts highlight lessons that could be learned from the US Food and Drug Administration's (FDA) first major cybersecurity-related recall for a permanent implantable medical device.
In August, Abbott announced a voluntary recall of some 465,000 pacemakers to patch cybersecurity vulnerabilities that were first acknowledged by FDA and the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in January.
The recall affected six pacemakers Abbott acquired in its purchase of St. Jude Medical earlier this year, Accent, Accent MRI, Accent ST, Allure, Anthem and Assurity that connect wirelessly to the company's Merlin@home transmitter.
In their JAMA viewpoint, Daniel Kramer, an assistant professor of medicine at Harvard Medical School and Kevin Fu, a cybersecurity expert and associate professor at the University of Michigan, say that FDA could learn valuable lessons from its recall communication to improve future cybersecurity-related advisories.
"Communications regarding widely used products for which multiple vendors exist in the marketplace should serve as opportunities to highlight current FDA and industry standards, and the degree to which similar products made by other manufacturers may be subject to similar concerns," the authors write.
Specifically, the authors say that the perception of the communication as a "pacemaker recall" by the public and in the media could unnecessarily alarm patients with unaffected pacemakers from other companies.
The authors also say that past research indicates that there is some possibility that similar vulnerabilities could exist for other pacemaker and wireless base station ecosystems unless similar defenses are put in place.
"FDA might have leveraged the safety communication to specifically identify whether there is an industry-wide concern, and to clarify security standards established by regulators for new device approval," the authors write, adding that such clarification could serve to reassure patients with unaffected devices.
And, the authors say the recall represents a missed opportunity for a partnership between FDA and industry to gather clinical data, user feedback and to quantify the actual rate of adverse events that occur as a result of the firmware upgrade called for by the recall.
"The adverse event rate highlighted by Abbott is extrapolated from other circumstances, and the true rate of malfunction may not be known until tens of thousands of devices are already upgraded," the authors write.
By piloting the firmware upgrades at a focused group of clinical sites, the authors say that preliminary feedback could have informed changes to the user interface for installing the firmware upgrades or identified potential concerns before rolling out the firmware upgrade to all the facilities that would be installing it.
JAMA
Tags: Cybersecurity
Regulatory Focus newsletters
All the biggest regulatory news and happenings.