FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

The U.S. Food and Drug Administration (FDA) has recommended all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks.

Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters Capital. The report identified a number of vulnerabilities that could be exploited to alter the functioning of the devices and drain batteries prematurely.

While St. Jude Medical initially denied the vulnerabilities existed, the FDA investigated the claims and confirmed that remotely exploitable vulnerabilities were present in certain St. Jude Medical Products.

Now, a year after the vulnerabilities were disclosed, the FDA has announced a voluntary recall of the devices to update the firmware to prevent the devices from being hacked via radio frequency communications.

There are between 450,000 and 500,000 vulnerable devices currently in use in the United States and a recall of this scale will almost certainly cause problems for healthcare providers. The FDA and Abbot Laboratories, which acquired St. Jude Medical last year, have suggested patients have the firmware upgrade applied at their next scheduled visit to their healthcare provider rather than make a separate visit.

The recall does not apply to implantable cardiac defibrillators or cardiac resynchronization ICDs, only to the following St. Jude Medical pacemakers:

  • Accent SR RF™
  • Accent MRI™
  • Assurity™
  • Assurity MRI™
  • Accent DR RF™
  • Anthem RF™
  • Allure RF™
  • Allure Quadra RF™
  • Quadra Allure MP RF™

The update will require any device attempting to communicate with the implanted pacemaker to be authenticated via the Merlin Programmer and [email protected] Transmitter. All Abbott Laboratories devices manufactured after August 28, 2017 will include the updated firmware. The firmware update was released on August 29.

The FDA has not recommended devices be removed and replaced as the firmware update will make the devices secure. The update is a quick and simple process that takes just three minutes, although patients will be required to visit their providers to have the update applied. The update cannot be issued remotely as there is “a low risk [<0.023%] of update malfunction”.  During the update, the device will continue to function in backup mode and life-saving functionality will be maintained. The devices will return to normal settings after the update has been applied.

It has been more than a year since the report of the vulnerabilities was published, although during that time there have been no reported attacks or harm caused to patients. The Department of Homeland Security says exploiting the vulnerabilities would require “a highly complex set of circumstances.”

“All industries need to be constantly vigilant against unauthorized access,” said Robert Ford, executive vice president, Medical Devices at Abbot Laboratories. He explained, “[cybersecurity] isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.