Pacemaker Incident Provides Important Lessons for Future Device Security Updates

What the FDA and manufacturers can do better when issuing future updates.

When the FDA and the device maker Abbott acknowledged and patched a potential software vulnerability in the company’s pacemakers earlier this year, it was the first instance of its kind. According to a new commentary in the Journal of the American Medical Association, the situation could have been handled better in many ways.

The article contains some key that the agency, the industry, and clinicians might consider.

The devices were made by St. Jude Medical, which was acquired by Abbott in early 2017. The corrective firmware update was FDA-approved and issued in August of 2017, though at the time it was described by the agency and reported in many media outlets as a recall. The authors note that the FDA was unclear about whether it was a recall or the scope of the threat.

“Given the novelty of this event, the FDA might have leveraged the safety communication to specifically identify whether there is an industry-wide concern, and to clarify current security standards established by regulators for new device approval,” the authors write. They claim such events present the FDA an opportunity to not just inform, but also reassure “the millions of patients who have pacemakers that are not subject to the advisory.”

Another area where the commentary urges improvement is in safety assurance. The pacemakers were present in more than 450,000 American patients, so the potential susceptibility to hacking was alarming. But the actual process of upgrading the firmware would temporarily revert the devices to ventricular demand pacing, a change in function that could in rare cases cause adverse events.

Additionally, when clinicians were presented the update within Abbott’s management software as an “alert,” that initiated the process with a single button click. The article expresses concern that the update could too easily be applied by doctors who were not aware of the potential risks.

To address this, the authors recommend the regulatory body and the device industry form a stronger partnership and try to pilot corrective actions to better understand such risks.

“The true rate of malfunction may not be known until tens of thousands of devices are already upgraded…In this specific case, even preliminary feedback from clinical sites might rapidly identify an important set of concerns regarding the logistics,” the authors write, “Perhaps leading to revision (for example) of the user interface to avoid inadvertent initiation of the upgrade in an unsafe setting.”

Though it credits the FDA in making strides to collaborate with cybersecurity experts, academia, clinicians, and the industry, the article goes on to warn that the problem will only grow more complex as more and more remote devices enable or require connectivity. Heightened awareness should not be exclusive to manufacturers and regulators.

“An entirely new class of potential medical device malfunction is likely to become increasingly common,” they wrote, “Patients and clinicians need to appreciate these risks alongside the convenience and diagnostic and therapeutic potential of remotely connected devices.”

The commentary, “Cybersecurity Concerns and Medical Devices: Lessons From a Pacemaker Advisory,” was co-authored by Daniel B. Kramed, MD, MPH, of Harvard Medical School and Richard A. and Susan F. Smith Center for Outcomes Research in Cardiology; and Kevin Fu, PhD, from the College of Engineering at the University of Michigan.