Abbott Recalls 465,000 Pacemakers for Cybersecurity Patch

Back to QNT News

States News Service

September 1, 2017

Medical device maker Abbott on Monday announced it is voluntarily recalling about 465,000 pacemakers to install a firmware update to patch cybersecurity vulnerabilities in the devices. The recall affects six pacemaker models—Accent, Accent MRI, Accent ST, Allure, Anthem and Assurity—that Abbott acquired when it completed its purchase of St. Jude Medical last January. Patients with the devices are being told to speak to their doctors to determine whether they should receive the update, which will require an in-person visit to install. The vulnerabilities, which could allow an attacker to modify the devices’ pacing commands or cause premature battery depletion, first came to light in a 2016 report by short-seller Muddy Waters based on research done by cybersecurity firm MedSec Holdings. The U.S. Food and Drug Administration (FDA) says it reviewed and approved the updated firmware, which will limit the number of commands the devices can receive wirelessly and prevent the transmission of unencrypted data. Abbott says that new pacemakers made as of August 28 will come pre-patched with the update, and both the company and FDA say that already-implanted devices should not be physically replaced due to cybersecurity concerns. According to Abbott, the update itself should take around three minutes, during which the devices will operate on a backup mode that keeps pacing at 67 beats per minute. The company also says the risks of performing the update are low based on its previous experience with firmware updates.

The risks, which include reloading previous firmware due to an incomplete installation, loss of currently programmed settings and loss of device functionality, all occur at rates well below 1%. But as a precaution, Abbott says that pacing dependent patients should be given the update in a facility where temporary pacing and a pacemaker generator are on hand. This marks the second time Abbott has issued a cybersecurity-related update for its St. Jude cardiac devices. Just days after Abbott completed its acquisition of St. Jude, the company released a software update to address vulnerabilities in its Merlin@home devices, which are used to transmit patient data from the company’s implantable pacemakers and defibrillators to physicians. Both Abbott and FDA say there are no known reports of cyberattacks targeting any of the devices, and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team says that a hacker would need to possess “high skill” to exploit the vulnerabilities.

Copyright 2017 States News Service

Copyright © LexisNexis, a division of Reed Elsevier Inc. All rights reserved.  
Terms and Conditions    Privacy Policy

Quality News Today is an ASQ member benefit offering quality related news
from around the world every business day.

ASQ is a global community of people passionate about quality, who use the tools, their ideas and expertise to make our world work better. ASQ: The Global Voice of Quality.