In a paper in JAMA this week, two experts highlight lessons that could be learned from the US Food and Drug Administration's (FDA) first major cybersecurity-related recall for a permanent implantable medical device.

Background

In August, Abbott announced a voluntary recall of some 465,000 pacemakers to patch cybersecurity vulnerabilities that were first acknowledged by FDA and the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in January.

The recall affected six pacemakers Abbott acquired in its purchase of St. Jude Medical earlier this year, Accent, Accent MRI, Accent ST, Allure, Anthem and Assurity that connect wirelessly to the company's Merlin@home transmitter.

Lessons

In their JAMA viewpoint, Daniel Kramer, an assistant professor of medicine at Harvard Medical School and Kevin Fu, a cybersecurity expert and associate professor at the University of Michigan, say that FDA could learn valuable lessons from its recall communication to improve future cybersecurity-related advisories.

"Communications regarding widely used products for which multiple vendors exist in the marketplace should serve as opportunities to highlight current FDA and industry standards, and the degree to which similar products made by other manufacturers may be subject to similar concerns," the authors write.

Specifically, the authors say that the perception of the communication as a "pacemaker recall" by the public and in the media could unnecessarily alarm patients with unaffected pacemakers from other companies.

The authors also say that past research indicates that there is some possibility that similar vulnerabilities could exist for other pacemaker and wireless base station ecosystems unless similar defenses are put in place.

"FDA might have leveraged the safety communication to specifically identify whether there is an industry-wide concern, and to clarify security standards established by regulators for new device approval," the authors write, adding that such clarification could serve to reassure patients with unaffected devices.

And, the authors say the recall represents a missed opportunity for a partnership between FDA and industry to gather clinical data, user feedback and to quantify the actual rate of adverse events that occur as a result of the firmware upgrade called for by the recall.

"The adverse event rate highlighted by Abbott is extrapolated from other circumstances, and the true rate of malfunction may not be known until tens of thousands of devices are already upgraded," the authors write.

By piloting the firmware upgrades at a focused group of clinical sites, the authors say that preliminary feedback could have informed changes to the user interface for installing the firmware upgrades or identified potential concerns before rolling out the firmware upgrade to all the facilities that would be installing it.

JAMA