Healthcare product manufacturer Abbott Laboratories is working with regulatory authorities to update the firmware and software in its implantable pacemakers, in an effort to shore up a security vulnerability that could lead to unauthorized access.
The announcement was made on the same day that the FDA issued a security advisory indicating that it approved Abbott’s firmware update on Aug. 23, and that patients should consider this an official product recall “to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities…” According to the FDA, 465,000 pacemakers in the U.S. are impacted. Meanwhile, the BBC reported that 745,000 implanted devices are impacted worldwide.
Patients will have to visit a health care provider in person to receive the update, as it cannot be executed remotely.
As a result of the firmware update, any external device attempting to communicate with the pacemaker will now require authorization. Additionally, the corresponding software update will introduce data encryption, operating system patches, the ability to disable network connectivity features, Abbott announced in a press release on Tuesday, Aug. 29.
The pacemakers were originally developed by St. Jude Medical, which was officially acquired by Abbott in January of 2017. Almost immediately following the purchase,the Lake Bluff, Ill.-based company took steps to improve the security of its inherited products by updating the software for the Merlin@home transmitter, a home monitor solution that sends data via a wireless RF signal from patient devices to a cloud server.
“All industries need to be constantly vigilant against unauthorized access,” said Robert Ford, executive vice president, medical devices at Abbott, in the press release. “This isn’t a static process, which is why we’re working with others in the health care sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”
Affected pacemakers include various models listed under its Accent, Allure, Anthem, and Assurity product lines. The company also just updated its implantable cardioverter defibrillators to include a Battery Performance Alert mechanism that defends against premature battery depletion.