FDA Safety Communication: Battery cybersecurity alert firmware updates for certain Abbott (St. Jude Medical) ICD

April 19, 2018

On April 11, 2018, the FDA approved a firmware update that is now available and is intended as a corrective action (recall), to reduce the risk of patient harm due to premature battery depletion and potential exploitation of cybersecurity vulnerabilities for certain Abbott ICDs and CRT-Ds. “Firmware” is a specific type of software embedded in the hardware of a medical device (e.g. a component in the defibrillator).

The FDA recommends that all eligible patients receive the firmware update at their next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.

This firmware update includes mitigations to addresses two separate issues: 1) a device-based Battery Performance Alert to detect rapid battery depletion in devices subject to the Battery Advisory from October 2016; and 2) updates to address cybersecurity vulnerabilities across Abbott’s radio frequency (RF) enabled ICDs and CRT-Ds.

Implanted ICDs and CRT-Ds are powered by lithium-based batteries. Deposits of lithium, known as “lithium clusters,” can form within the battery and create abnormal electrical connections leading to rapid battery failure.

As communicated in the Battery Advisory from October 2016, Abbott has reported that in some cases, full battery drainage can occur as quickly as within a day to a few weeks. If the battery runs out, the ICD or CRT-D will be unable to deliver life-saving pacing or shocks, which could lead to patient death. The patients most at risk are those with a high likelihood of requiring life-saving shocks and those who are pacemaker dependent.

To address the rapid battery depletion, Abbott has developed a device-based Battery Performance Alert to detect and alert patients and clinicians if their device is affected. This Battery Performance Alert is similar to the Battery Performance Alert added to Merlin.net and the Merlin Programmer in August 2017. This new device-based alert will activate a vibratory alert if rapid battery depletion is detected, and is intended to provide advanced notice of device performance prior to the Elective Replacement Indicator (ERI) alert. In addition to notifying the patient that they should see their doctor as soon as possible, the alert will also be shown on the Merlin Programmer and transmitted to Merlin.net if the patient is enrolled in home monitoring.

Many medical devices—including Abbott’s ICD and CRT-D devices—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.

The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with Abbott’s RF-enabled ICDs and CRT-Ds, and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e., someone other than the patient’s physician) to access a patient’s device using commercially available equipment. This unauthorized user could then modify programming commands to the implanted defibrillator, which could result in patient harm from rapid battery depletion (unrelated to lithium clusters), or administration of inappropriate pacing or shocks.

To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities.

To address these cybersecurity vulnerabilities and improve patient safety, Abbott has developed and validated this firmware update as a corrective action (recall) for their RF-enabled defibrillators, including CRT-Ds. The FDA has approved Abbott’s firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm.

After installing this update, any device attempting to communicate with the implanted defibrillator must provide authorization to do so. The Merlin Programmer and Merlin@home Transmitter will provide such authorization.

FDA has the full alert