Abbot Laboratories Defibrillator Flaws Alert Issued by FDA

by | Apr 27, 2018

The U.S. Food and Drug Administration has released an alert regarding certain Abbott Laboratories implantable cardiac devices that have cybersecurity weaknesses that could possibly be targeted to alter the usability of the devices.

A number implantable cardiac defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) are impacted, including the Current, Promote, Fortify, Quadra, Unify, and Ellipse families of products. The weaknesses have not been seen on pacemakers or cardiac resynchronization pacemakers (CRT-Ps).

Exploitation of the flaws is possible using openly available equipment that could be used to send instructions to the devices via radio frequencies. For the flaws to be exploited, a hacker would need to be in relatively close proximity to the device in question.

In the event of an attack to happen, it would be possible to amend the function of the devices and cause inappropriate packing and shocks or cause the batteries to deplete quickly. Exploitation of the flaws therefore has potential to inflict damage to patients.

The flaws are being tackled with a firmware update. The FDA has assessed the update and confirmed that it mitigates the flaws and minimizes the potential for damage to a reasonable level. After receiving the update, any device that tries to connect to the ICD or CRT-D would need to complete an authentication process before any changes could be completed.

Abbott Laboratories notes in a recent press release that there have been no accounts of the flaws actually being exploited, and that the update is not an emergency step but part of a series of planned updates to enhance cybersecurity.

The firmware update also fixes an unrelated issue with the lithium ion batteries which can lead to them to depleting rapidly, in some cases within 24 hours. This is not caused by malicious individuals, instead it is an issue with the batteries, which can form lithium deposits that create abnormal electrical connections. The update includes a new battery depletion warning that will be triggered if rapid battery depletion is noticed, telling the patient that they must arrange to visit their physician as soon as they can.

The firmware update cannot be applied remotely. Patients must see their provider to have their ICD or CRT-D updated.

The update will take around 3 minutes during which time the device will work in backup VVI mode. High voltage therapy will be temporarily switched off and there is possibility for the device to deliver no pacing for up to three seconds during the update.

Any firmware or software update could cause a device to malfunction, although the danger is very minimal and a previous firmware update in August 2017 lead to no serious malfunctions. In 0.62% of cases, the update was not applied completely. In such cases the problem was rapidly resolved with Technical Services. To reduce the likelihood of issues, a programmer update has been incorporated which should keep update mistakes to a minimal level.

Certain devices cannot spply the update due to technical restrictions. A fix has been provided by Abbott Laboratories that involves switching off RF functionality via the Merlin@home programmer. While this fix will stop any exploitation of the flaws, it would also stop the device from sending data directly to the physician’s office. Consequently, the FDA advises that RF functionality is not turned off.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy