The U.S. Food and Drug Administration has released an alert regarding certain Abbott Laboratories implantable cardiac devices that have cybersecurity weaknesses that could possibly be targeted to alter the usability of the devices.
A number implantable cardiac defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) are impacted, including the Current, Promote, Fortify, Quadra, Unify, and Ellipse families of products. The weaknesses have not been seen on pacemakers or cardiac resynchronization pacemakers (CRT-Ps).
Exploitation of the flaws is possible using openly available equipment that could be used to send instructions to the devices via radio frequencies. For the flaws to be exploited, a hacker would need to be in relatively close proximity to the device in question.
In the event of an attack to happen, it would be possible to amend the function of the devices and cause inappropriate packing and shocks or cause the batteries to deplete quickly. Exploitation of the flaws therefore has potential to inflict damage to patients.
The flaws are being tackled with a firmware update. The FDA has assessed the update and confirmed that it mitigates the flaws and minimizes the potential for damage to a reasonable level. After receiving the update, any device that tries to connect to the ICD or CRT-D would need to complete an authentication process before any changes could be completed.
Abbott Laboratories notes in a recent press release that there have been no accounts of the flaws actually being exploited, and that the update is not an emergency step but part of a series of planned updates to enhance cybersecurity.
The firmware update also fixes an unrelated issue with the lithium ion batteries which can lead to them to depleting rapidly, in some cases within 24 hours. This is not caused by malicious individuals, instead it is an issue with the batteries, which can form lithium deposits that create abnormal electrical connections. The update includes a new battery depletion warning that will be triggered if rapid battery depletion is noticed, telling the patient that they must arrange to visit their physician as soon as they can.
The firmware update cannot be applied remotely. Patients must see their provider to have their ICD or CRT-D updated.
The update will take around 3 minutes during which time the device will work in backup VVI mode. High voltage therapy will be temporarily switched off and there is possibility for the device to deliver no pacing for up to three seconds during the update.
Any firmware or software update could cause a device to malfunction, although the danger is very minimal and a previous firmware update in August 2017 lead to no serious malfunctions. In 0.62% of cases, the update was not applied completely. In such cases the problem was rapidly resolved with Technical Services. To reduce the likelihood of issues, a programmer update has been incorporated which should keep update mistakes to a minimal level.
Certain devices cannot spply the update due to technical restrictions. A fix has been provided by Abbott Laboratories that involves switching off RF functionality via the Merlin@home programmer. While this fix will stop any exploitation of the flaws, it would also stop the device from sending data directly to the physician’s office. Consequently, the FDA advises that RF functionality is not turned off.
