Share this article on:
The U.S. Food and Drug Administration has issued an alert about certain Abbott Laboratories implantable cardiac devices that have cybersecurity vulnerabilities that could potentially be exploited to alter the functioning of the devices.
Certain implantable cardiac defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) are affected, including the Current, Promote, Fortify, Quadra, Unify, and Ellipse families of products. The flaws do not exist on pacemakers or cardiac resynchronization pacemakers (CRT-Ps).
Exploitation of the vulnerabilities is possible using commercially available equipment that could be used to send commands to the devices via radio frequencies. For the vulnerabilities to be exploited, an attacker would need to be in relatively close proximity to the device.
Were an attack to happen, it would be possible to alter the function of the devices and cause them to deliver inappropriate packing and shocks or cause the batteries to deplete prematurely. Exploitation of the vulnerabilities therefore has potential to cause harm to patients.
The vulnerabilities are being addressed with a firmware update. The FDA has assessed the update and confirmed that it mitigates the vulnerabilities and reduces the potential for harm to a reasonable level. After receiving the update, any device that attempts to connect to the ICD or CRT-D would need to provide authentication before any changes could be made.
Abbott Laboratories notes in a recent press release that there have been no reports of the vulnerabilities actually being exploited, and that the update is not an emergency measure but part of a series of planned updates to improve cybersecurity.
The firmware update also corrects an unrelated issue with the lithium ion batteries which can cause them to deplete rapidly, in some cases within a day. This is not caused by malicious actors, instead it is a problem with the batteries, which can form lithium deposits that create abnormal electrical connections. The update includes a new battery depletion alert that will be triggered if rapid battery depletion is detected, informing the patient that they must arrange to visit their physician as soon as possible.
The firmware update cannot be applied remotely. Patients must visit their provider to have their ICD or CRT-D updated.
The update will take approximately 3 minutes during which time the device will operate in backup VVI mode. High voltage therapy will be temporarily disabled and there is potential for the device to deliver no pacing for up to three seconds during the update.
Any firmware or software update has potential to cause a device to malfunction, although the risk is very low and a previous firmware update in August 2017 resulted in no serious malfunctions. In 0.62% of cases, the update was not applied in full. In such cases the issue was rapidly resolved with Technical Services. To reduce the risk of problems, a programmer update has been incorporated which should keep update errors to a minimal level.
Certain devices cannot accept the update due to technical limitations. A fix has been offered by Abbott Laboratories that involves switching off RF functionality via the Merlin@home programmer. While this fix will prevent any exploitation of the vulnerabilities, it would also prevent the device from sending data directly to the physician’s office. Consequently, the FDA recommends that RF functionality is not disabled.