Abbott Releases New Software Updates to Protect Pacemakers From Hacking

Abbott Laboratories released new software updates designed to protect hundreds of thousands of implanted pacemakers from external hacking that could harm heart patients and to guard against dangerous battery depletions in a different cardiac device linked to two patient deaths.

U.S. health regulators flagged the safety risks of the devices and issued a blistering warning letter earlier this year criticizing Abbott's handling of the problems. Abbott acquired the products with its $23.6 billion purchase of St. Jude Medical in January and said the issues cited in the warning letter occurred before the deal closed.

The software patches underscore the growing concern about cybersecurity of medical devices that are increasingly connected via the internet or other networks.

Abbott said in a letter to doctors Monday that the new firmware -- a type of software embedded in the device's hardware -- is intended to reduce the risk of unauthorized access to pacemakers that use radio-frequency communications.

"This firmware update provides an additional layer of security against unauthorized access to these devices that further reduces the potential for a successful cybersecurity attack," Abbott said in the letter.

Abbott said it doesn't recommend that patients have their pacemakers replaced. Rather, the company advises doctors to discuss the matter with patients at their next visits and to administer the software update if it is deemed appropriate. The doctor administers the update through a wand held over the site of the implanted pacemaker. The update itself carries small risks of causing a device malfunction, Abbott said.

About 465,000 implanted pacemakers are eligible for the update, and Abbott said the update will be built into all newly implanted devices. The pacemakers are sold under brand names including Accent, Anthem and Assurity.

The FDA said Tuesday there are no known reports of patient harm related to the cybersecurity vulnerabilities in the 465,000 implanted pacemaker devices.

The agency said it approved Abbott's software update "to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities" for the pacemakers, which use electrical jolts to maintain a regular heartbeat in patients with abnormal heart rhythm.

The FDA said the Abbott pacemakers had vulnerabilities that, if exploited, could allow an unauthorized user to access a patient's device using commercially available equipment. Hackers could modify programming commands to the pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate heart pacing, the FDA said.

Abbott also released a new software update for more than 398,000 implanted cardioverter defibrillators, which are designed to prevent cardiac arrest in patients with rapid heartbeats. The software update provides doctors with earlier warnings of the potential for premature battery depletion.

In its warning letter earlier this year, the FDA said Abbott hadn't properly investigated and resolved the cybersecurity risks of its pacemakers or the risk of premature battery depletion in the defibrillators.

Last year, St. Jude warned of a battery malfunction that could cause defibrillators to quickly lose power and stop functioning, and the FDA said two patients died after batteries in their St. Jude-made defibrillators ran down prematurely, preventing the devices from providing needed shock therapy.

Write to Peter Loftus at peter.loftus@wsj.com

(END) Dow Jones Newswires

August 29, 2017 18:54 ET (22:54 GMT)