Abbot Laboratories Defibrillator Faults Alert Issued by FDA

April 29, 2018


The U.S. Food and Drug Administration has issued an alert concerning specific Abbott Laboratories implantable cardiac appliances that have cybersecurity vulnerabilities that might possibly be targeted to change the usability of the appliances.

A number of implantable cardiac defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) are affected, including the Current, Unify, Fortify, Promote, Quadra, and Ellipse groups of products. The faults have not been viewed on pacemakers or cardiac resynchronization pacemakers (CRT-Ps).

Misuse of the faults is possible using openly available equipment that might be used to send directions to the appliances through radio frequencies. For the faults to be abused, a hacker would need to be in comparatively close proximity to the appliance in question.

In the event of an attack to occur, it would be possible to change the function of the appliances and cause incorrect packing and shocks or cause the batteries to exhaust rapidly. Misuse of the faults, therefore, has the possibility to inflict harm to patients.

The faults are being confronted with a firmware update. The FDA has evaluated the update and verified that it alleviates the faults and minimizes the potential for harm to a rational level. After getting the update, any appliance that attempts to connect to the CRT-D or ICD would require to complete a verification procedure before any modifications might be finished.

Abbott Laboratories notices in a fresh press release that there have been no accounts of the faults actually being abused and that the update is not an emergency measure but part of a series of prearranged updates to increase cybersecurity.

The firmware update also resolves an unrelated problem with the lithium-ion batteries which can lead them to deplete quickly, in some instances within 24 hours. This is not caused by hateful people, instead, it is a problem with the batteries, which can create lithium deposits that make strange electrical connections. The update contains a new battery exhaustion warning that will be activated if quick battery depletion is noted, telling the patient that they should arrange to visit their doctor as soon as they can.

The firmware update can’t be applied distantly. Patients should see their provider to have their CRT-D or ICD updated.

The update will take about 3 minutes during which time the appliance will work in standby VVI mode. High voltage treatment will be provisionally switched off and there is a probability for the appliance to deliver no pacing for up to three seconds in the course of the update.

Any software or firmware update might cause an appliance to breakdown, even though the threat is very minimal and an earlier firmware update in August 2017 led to no serious failures. In 0.62% of cases, the update was not applied fully. In such cases, the problem was quickly fixed with Technical Facilities. To decrease the possibility of problems, a programmer update has been included which should keep update faults to a minimal level.

Certain appliances cannot supply the update because of technical limitations. A solution has been provided by Abbott Laboratories that involves switching off RF operation through the Merlin@home programmer. While this solution will stop any misuse of the faults, it would also stop the appliance from sending data straight to the doctor’s office. As a result, the FDA recommends that RF operation is not switched off.