FDA issues 'recall' on heart implants for security firmware update

The US For and Drug administration is urging patients with heart implants from Abbot Laboratories to visit a healthcare centre and install a firmware update that addresses a remote hacking vulnerability and a rapid battery depletion bug. 

Abott Industries, formerly St Jude Medical, has developed a firmware update to address two vulnerabilities discovered by MedSec, the firm that brought attention to serious security flaws in St Jude’s heart implants in 2015, which led to a major recall in 2016. 

The FDA’s alert concerns patients with Abbott Industries’ radio-frequency (RF) enabled implantable cardioverter defibrillators (ICD) and cardiac synchronization therapy defibrillators (CRT-D).

The two device types, which are implanted under the skin and are wired to a patient’s heart, either regulate slow heart rhythms or provide “electric shock or pacing for dangerously fast heart rhythms".  

The firmware, referred to as a “corrective action recall”, broadens a a 2016 recall due to premature battery depletion.   

“The firmware upgrade released today incorporates an enhanced device-based battery performance alert, which will allow patients and physicians to better manage battery performance in certain implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds)," Abbott said in a statement.

"It also includes a cybersecurity update, which will provide an additional layer of protection against unauthorized device access”  

Affected product families include Abbott brands Current, Promote, Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse. 

Abbott says it is advising regulatory authorities around the world that an upgrade will be made available in the next several weeks beginning on April 17. 

The firmware update, which the FDA approved in early April, includes a battery performance alert to detect rapid battery depletion, and authentication controls for RF-enabled devices. The updates are designed to improve safety for patents with a high chance of needing a life-saving shock and those that depend on pacemakers. The new battery warning will trigger a vibration alert. 

The cybersecurity related fix stems from the FDA confirming that an attacker could exploit vulnerabilities to remotely access a patient’s medical device and modify commands to potentially trigger rapid battery depletion. 

Some Current and Promote devices can’t be updated with new firmware. Abbott has developed an option to permanently disable RF functionality however the FDA recommends against this action for patients enrolled in home monitoring since it will prevent the patient using the Merlin@home transmitter to automatically alert his or her doctor to a problem. 

Patients will need to visit their healthcare provider to install the firmware update, which takes about three minutes to complete and sets the device in backup mode during the procedure.  

Abbott said the firmware updates were planned and are part of a series updates that began in August 2017 to bolster the security of its devices. 

Thousands of Australian medical implant patients were potentially affected by that recall, the ABC reported at the time.  

During that firmware rollout, Abbott observed that 0.62 percent of devices failed to update completely and remained in backup mode. Technicians however were able to restore the devices with prior firmware versions. 

The FDA notes that Abbott found some patients experience discomfort during the update while the device was in backup mode. There was also a risk that the device won’t deliver a shock if the patent needs one during the update and that the device remains in backup mode after unsuccessfully updating.