Hundreds of thousands of implantable heart defibrillators made by Minnesota’s St. Jude Medical are getting cybersecurity software updates, while older versions of the devices may have their wireless communication systems disabled because they can’t accept the update.
A series of 11 recent recall notices said that roughly 740,000 implantable cardioverter defibrillators (ICDs) and cardiac resychronization therapy defibrillators (CRT-Ds) made by St. Jude Medical are eligible to receive new firmware that provides “an additional layer of protection against unauthorized device access.”
Many implanted medical devices, including defibrillators, have wireless communications features that can remotely monitor patient health and device status. Such communication systems could theoretically be hijacked by malicious computer hackers in ways that could harm patient health, though such an attack has never been documented.
The software alerts for the St. Jude devices recommend that patients with eligible defibrillators get the firmware update at their next regularly scheduled doctor visit, or at the time that is most appropriate, depending on patients’ and physicians’ preferences.
For older models of devices not eligible for the cybersecurity firmware update, the company recommends “a discussion of the risks of cybersecurity vulnerabilities and proven benefits of remote monitoring with patients at their next regularly scheduled visit. RF communication may be permanently disabled in devices not eligible for firmware updates during an in-clinic device interrogation with a programmer that has received the software update.”
Abbott Laboratories, which acquired St. Jude Medical last year, sent U.S. hospitals and doctors notices about the St. Jude defibrillator firmware updates in April.
On June 29, the Food and Drug Administration classified those firmware updates as Class 2 recalls, which is the medium-severity category reserved for issues in which adverse health consequences are considered temporary or reversible, or where the probability of serious health consequences is “remote.”
“Abbott and the U.S. Food and Drug Administration do not recommend replacement of implanted defibrillator devices as a result of these updates. Your ICD or CRT-D remains fully effective for pacing and defibrillation, as designed,” Abbott said in an April 16 statement.
The recall affects: 139,351 Ellipse ICDs; 72,673 Quadra Assura CRT-Ds; 40,738 Unify CRT-Ds; 81,338 Fortify ICDs; 37,485 Promote ICDs; 131,093 Fortify Assura ICDs; 71,651 Current ICDs; 10,425 Promote Quadra ICDs; 22,132 Unify Quadra CRT-Ds; 68,117 Quadra Assura MP CRT-Ds; and 65,048 Unify Assura CRT-Ds.
“Devices that use this type of software may require updates from time to time, as technology and security for connected devices and systems continues to advance,” said Kelly Morrison, spokeswoman for Abbott Labs.
The defibrillator updates come less than a year after Abbott issued new software for 465,000 implanted St. Jude Medical pacemakers in the U.S.