The FDA approved a firmware update that is now available and is intended as a corrective action (recall), to reduce the risk of patient harm due to premature battery depletion and potential exploitation of cybersecurity vulnerabilities for certain Abbott ICDs and CRT-Ds. “Firmware” is a specific type of software embedded in the hardware of a medical device (e.g. a component in the defibrillator).
The FDA recommends that all eligible patients receive the firmware update at their next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.
For the purposes of this safety communication, cybersecurity focuses on protecting patients’ medical devices and their associated computers, networks, programs, and data from unintended or unauthorized threats.
Summary of Problem and Scope:
This firmware update includes mitigations to addresses two separate issues: 1) a device-based Battery Performance Alert to detect rapid battery depletion in devices subject to the Battery Advisory from October 2016; and 2) updates to address cybersecurity vulnerabilities across Abbott’s radio frequency (RF) enabled ICDs and CRT-Ds.
Rapid Battery Depletion
Implanted ICDs and CRT-Ds are powered by lithium-based batteries. Deposits of lithium, known as “lithium clusters,” can form within the battery and create abnormal electrical connections leading to rapid battery failure.
As communicated in the Battery Advisory from October 2016, Abbott has reported that in some cases, full battery drainage can occur as quickly as within a day to a few weeks. If the battery runs out, the ICD or CRT-D will be unable to deliver life-saving pacing or shocks, which could lead to patient death. The patients most at risk are those with a high likelihood of requiring life-saving shocks and those who are pacemaker dependent.
To address the rapid battery depletion, Abbott has developed a device-based Battery Performance Alert to detect and alert patients and clinicians if their device is affected. This Battery Performance Alert is similar to the Battery Performance Alert added to Merlin.net and the Merlin Programmer in August 2017. This new device-based alert will activate a vibratory alert if rapid battery depletion is detected, and is intended to provide advanced notice of device performance prior to the Elective Replacement Indicator (ERI) alert. In addition to notifying the patient that they should see their doctor as soon as possible, the alert will also be shown on the Merlin Programmer and transmitted to Merlin.net if the patient is enrolled in home monitoring.
Many medical devices—including Abbott’s ICD and CRT-D devices—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.
The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with Abbott’s RF-enabled ICDs and CRT-Ds, and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e.someone other than the patient’s physician) to access a patient’s device using commercially available equipment. This unauthorized user could then modify programming commands to the implanted defibrillator, which could result in patient harm from rapid battery depletion (unrelated to lithium clusters), or administration of inappropriate pacing or shocks.
To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities.
To address these cybersecurity vulnerabilities and improve patient safety, Abbott has developed and validated this firmware update as a corrective action (recall) for their RF-enabled defibrillators, including CRT-Ds. The FDA has approved Abbott’s firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm.
After installing this update, any device attempting to communicate with the implanted defibrillator must provide authorization to do so. The Merlin Programmer and Merlin@home Transmitter will provide such authorization.
For patients with Current or Promote devices that cannot accept the firmware update due to technology limitations, Abbott has implemented an option in the Merlin Programmer to permanently disable RF for patients concerned with the cybersecurity of their device. However, disabling RF will prevent data from a patient’s device from being transmitted to his or her doctor’s office using the RF Merlin@home Transmitter. For patients enrolled in home monitoring, FDA recommends keeping RF enabled.
Additionally, a software patch was implemented in January 2017 to address cybersecurity vulnerabilities associated with the Merlin@home Transmitter. The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.