Abbott Labs rolls out patch for St. Jude-made pacemakers

Hundreds of thousands of people with pacemakers made by St. Jude Medical will have to go to the doctor's office to receive a software update.

Abbott Laboratories, which acquired Minnesota-based St. Jude Medical in January, released a software update on Tuesday intended to improve the cybersecurity protections for 465,000 implanted pacemakers in the United States. Patients must go to their physician's office to have the new software installed and validated.

The update comes a year after the financial firm Muddy Waters shorted St. Jude's stock and announced what it said were grave cybersecurity vulnerabilities that render St. Jude heart-rhythm devices vulnerable to computer hacking. No malicious attack has been documented, but officials with the Food and Drug Administration and Homeland Security Department have confirmed that the St. Jude devices contained vulnerabilities that could allow patient harm.

"As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a device operates," the FDA said in a safety communication Tuesday.

On Jan. 9, Abbott announced its first software patch following the Muddy Waters disclosure. That patch applied to St. Jude's Merlin@home system, which is a bedside monitor that wirelessly communicates with heart devices implanted in patients. The software patch uploaded automatically and applied to patients with pacemakers and implantable defibrillators.

The new software patch, announced on Tuesday by Abbott and the FDA, applies to pacemakers and can only be done in a doctor's office. St. Jude's Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure pacemakers and cardiac resynchronization therapy (CRT) pacemakers are affected.

Installing physicians should make sure that the new software patch finishes loading successfully or else the older software may be reinstalled, according to a "Dear Doctor" letter from Abbott. Also, pacemaker-dependent patients may want to be in a facility where they have access to a temporary pacemaking system in case of a loss of functionality during the update.

"These planned updates further strengthen the security and device management tools for our connected cardiac rhythm management devices," Abbott spokeswoman Candace Steele Flippin said via e-mail. "Abbott is resolving all old St. Jude Medical issues."

Separately but simultaneously on Tuesday, Abbott announced the release of a new software tool that will more accurately assess the remaining battery life in St. Jude implantable defibrillators manufactured between January 2010 and May 2015.

St. Jude announced late last year that thousands of its Fortify, Fortify Assura, Quadra Assura, Unify Assura and Unify Quadra defibrillators and CRT defibrillators are vulnerable to a rare but serious problem in which the lithium battery may short-circuit and go dead with little or no warning. The new software to monitor defibrillator battery life will be rolled out automatically though the Merlin@home system for patients on home monitoring.

The FDA cited Abbott with a warning letter in April over deficiencies in how the St. Jude plant in Sylmar, Calif., has handled the battery-depletion issue and the cybersecurity issue. Company executives said in an earnings call last month that they have already presented the FDA with a "very detailed plan" for resolving the issues.

Joe Carlson • 612-673-4779