Abbott Issues Software Patches for More Cardiac DevicesUpdates Address Cybersecurity, Battery Problems
Abbott Laboratories has issued software updates for certain implantable cardiac devices to address cybersecurity flaws and battery issues that pose potential safety risks to patients. The products were previously sold by device maker St. Jude Medical, which Abbott acquired last year.
See Also: Hybrid IT-OT Security Management
More than 382,000 of these affected devices are distributed in the U.S., including 350,000 devices that are currently implanted in patients, according to the Food and Drug Administration and Abbott. The remainder of the devices are in inventories and will be updated "in-box," an Abbott spokeswoman says.
The device problems were also the subject of previous warnings by the FDA and the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, which both issued new advisories on April 17 about the availability of the Abbott software patches.
The impacted devices include certain families of Abbott implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, which are devices that provide pacing for slow heart rhythms and electrical shock or pacing to stop dangerously fast heart rhythms, the FDA notes in its alert.
Last August, Abbott also issued software updates to address similar cybersecurity vulnerabilities in certain implantable cardiac pacemaker devices (see A FDA First: Cyber Recall for Implantable Devices).
In a statement provided to Information Security Media Group, Abbott says the latest patches "are planned updates to further strengthen security and enhance performance - all part of the same effort we undertook in August for our pacemakers and remote monitoring systems. Those cybersecurity and battery performance updates are now approved and available for implantable defibrillators."
Abbott adds: "It's important to note that there have been no new cybersecurity vulnerabilities identified as part of this advisory - it's all part of the same effort, just now on a new set of products. It's also important to note that - as was the case in 2017 - there remain no reports of unauthorized access to any patient's implanted devices."
Like the patches issued last August for Abbott's pacemaker devices, the latest software updates for the implantable defibrillators address cybersecurity vulnerabilities and battery problems that were the center of a controversial August 2016 report. That report was issued by short-sell investment firm Muddy Waters Capital, based on findings by MedSec Holdings, a security research firm that reportedly has a financial arrangement with Muddy Waters.
While the Muddy Waters/MedSec report highlighted important cybersecurity issues concerning the St. Jude medical devices, the controversial manner in which the research was released - by an investment company - and its financial arrangement with "ethical hacker" MedSec, which found the vulnerabilities, drew criticism from the healthcare industry.
Last year, the FDA and ICS-CERT issued a number of safety communications and advisories related to cybersecurity and other potential safety problems - including some based on the MedSec findings - involving other various Abbott cardiac devices (see FDA Sends Warning Letter to Abbott Labs About Cyber Flaws.)
The FDA measures last August resulted in a "corrective action" - or "voluntary recall" - by the manufacturer to address cybersecurity vulnerabilities in certain Abbott network-connected implantable cardiac devices. That recall was the subject of Abbott's software updates last August for its pacemaker product, an Abbott spokeswoman says.
In a statement provided to ISMG, the FDA notes that the Abbott firmware update announced April 17 "is a voluntary recall and correction to address rapid battery depletion and cybersecurity vulnerabilities in Abbott's implantable cardiac defibrillators"
FDA says the April 17 recall "is the only cybersecurity-related medical device recall reported to the FDA since the August 2017 [Abbott] recall and correction of Abbott's pacemaker and cardiac resynchronization pacemakers devices. Since 2012, there have been a few other voluntary recalls of medical devices for cybersecurity vulnerabilities."
Since the August 2016 public disclosure of cybersecurity vulnerabilities identified by MedSec/Muddy Waters, the FDA has worked closely with Abbott as they developed and thoroughly tested new software and firmware to address issues in their Merlin@home Transmitter, pacemakers and defibrillation devices, the agency says.
"The FDA's actions to date have focused on mitigating the vulnerabilities with the highest risk to patients first. An update to the Merlin@home device was approved and released in January 2017 to address the highest risk vulnerabilities first, and also reduce other risks. In August 2017, a firmware update similar to the cybersecurity mitigations in this safety communication was made to reduce the risk of patient harm in implanted pacemaker and cardiac resynchronization pacemakers. This update addressed similar vulnerabilities in the defibrillation devices."
FDA notes in its recent public statement that the firmware subject to the recent updates "is a specific type of software embedded in the hardware of a medical device - for example a component in the defibrillator," FDA notes.
The FDA recommends that all eligible patients receive the firmware update at their next regularly scheduled doctor visit or when appropriate depending on the preferences of the patient and physician.
In its alert about the situation, ICS-CERT notes that the firmware patches address vulnerabilities involving improper authentication and improper restrictions of power consumption.
"The device's authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the ICD or CRT-D via radio frequency communications," ICS-CERT says.
Related to the second vulnerability, ICS-CERT writes: "The ICDs and CRT-Ds do not restrict or limit the number of correctly formatted 'RF wake-up' commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce device battery life. Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD."
ICS-CERT notes that the Abbott high voltage device families that utilize wireless radio frequency communication include: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse.
It also notes in its advisory: "Abbott states that firmware updates should be approached with caution. As with any software update, firmware updates can cause devices to malfunction."
The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk, ICS-CERT notes.