Abbot Labs Warned of Medical Device Cybersecurity Issues by FDA

Abbot Labs, which acquired St. Jude Medical in January 2017, has been warned by the Food and Drug Administration (FDA) that previously identified cybersecurity vulnerabilities in some of its products may not have been corrected. Those vulnerabilities have potential to jeopardize the safety of patients.

The investigation of Abbot Labs was conducted February 7-14 at St. Jude Medical facilities in Sylmar, CA, following the public disclosure of potential vulnerabilities in certain St. Jude Medical devices. Those vulnerabilities could potentially be exploited by malicious actors to cause the devices to malfunction and patients to come to harm.  Flaws in the devices were uncovered by MedSec Holdings and were passed to Muddy Waters Capital, which announced the findings in a research report published in August last year.

Multiple vulnerabilities were discovered in certain implantable pacemakers and defibrillators manufactured by St. Jude Medical, including the susceptibility to man-in-the-middle attacks that could cause the batteries in the products to be prematurely drained and the devices to malfunction.

The pacemakers and defibrillators are classed as medical devices under section 201(h) of the Federal Food, Drug, and Cosmetic Act (the Act), 21 U.S.C. § 321(h). The specific devices investigated were the Fortify, Unify, Assura (including Quadra) implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, and the accompanying [email protected] monitor.

The FDA confirmed that a variety of cybersecurity vulnerabilities existed with the products and alerted Abbot Labs in a letter dated March 13, 2017. Abbot Labs was informed that “the methods used in, or the facilities or controls used for, their manufacture, packing, storage, or installation are not in conformity with the current good manufacturing practice requirements of the Quality System (QS) regulation found at Title 21, Code of Federal Regulations (CFR), Part 820.”

During the investigation, the FDA reviewed Product Analysis Reports from 2011 to 2014 and determined that the supplier’s analysis contained information showing “lithium cluster bridging had prematurely drained the battery,” yet the company “repeatedly concluded that the cause of premature depletion of Greatbatch QHR2850 batteries “could not be determined.” The firm performed a risk analysis, but only on devices from confirmed cases of premature battery depletion. The unconfirmed cases of premature battery depletion were not included in the risk analysis, potentially leading the firm to underestimate risk.

There was also a “Failure to ensure that design validation shall include risk analysis, where appropriate.” While an independent third-party report was commissioned on April 2, 2014, Abbot Labs failed to accurately incorporate its findings into security risk ratings, leading to risk mitigations to be viewed as acceptable when several risks had not been effectively controlled. That report also determined that the universal unlock code on high voltage devices was an exploitable hazard, yet the firm failed to identify it as such.

Abbot Labs responded to the FDA’s findings, although in the letter the FDA said it “reviewed your response and conclude that it is not adequate.” Abbot Labs provided the FDA with a summary and dates for corrective actions, yet did not include “evidence of implementation for your firm’s corrections, corrective actions, and systemic corrective actions.”

The FDA required Abbot Labs to conduct “a full root cause investigation and the identification of actions to correct and prevent recurrence of potential cybersecurity vulnerabilities, as required by your CAPA procedures,” however, the FDA said while Abbot Labs did perform a risk assessment and take corrective actions, they were performed outside its CAPA system. Also, Abbot Labs “did not confirm all required corrective and preventive actions were completed,” and the firm “failed to consider systemic corrective actions.”

Abbot Labs performed a product recall on Fortify, Unify, and Assura Implantable Cardioverter Defibrillators (ICDs) and Cardiac Resynchronization Therapy Defibrillators (CRT-Ds), yet during the recall period, 10 ICDs were shipped to St. Jude US Field Representatives and an additional seven devices were fitted into patients.

The above and other violations of FDA regulations covered in the letter must be corrected by Abbot Labs promptly.

If prompt action is not taken by Abbot Labs to address all of the issues outlined in the FDA letter, it could result in seizure, injunction and a civil monetary penalty. While the FDA confirmed there were cybersecurity issues with some of its products, Abbot Labs was warned that there may be serious problems with its manufacturing and quality management systems. The FDA therefore advised Abbot Labs to conduct an investigation into the root causes of the violations and ensure they are corrected to ensure all products comply with FDA regulations.

Abbot Labs is required to respond to the letter within 15 days and supply an action plan that addresses all of the vulnerabilities and safety issues with its products that have previously been identified.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.