Hacking Concerns about Abbott/St. Jude Pacemakers and Other Medical Devices

by Terry Bryant

The world of defective products is experiencing profound change. The last week in August, the FDA issued a recall which specifically warned about some elements of 13 different model types of Abbott (formerly St. Jude Medical) Pacemaker systems. It applies to some implantable cardiac pacemakers, including cardiac resynchronization therapy pacemaker (CRT-P) devices, and the insulated wire “leads” that connect to the heart. It does NOT apply to implantable cardiac defibrillators (ICDs) or cardiac resynchronization ICDs (CRT-Ds).

Because these devices are part of a heart rhythmic control and management “system,” they can be monitored and adjusted by a doctor who is connected remotely to the patient via computer. But hackers have exposed a vulnerability in the operating system (OS). This means someone can compromise these Abbot Pacemakers by sending them commands which could affect their operation, and even a patient’s life. The “fix” requires patients to make a trip to their medical provider so a software update can be installed.

According to the FDA, around 465,000 pacemakers in the U.S. are affected by the recall, though the number outside the U.S. is not known. No units have been compromised so far. But the potential consequences of such a breach could be life-threatening.

It seems odd to think about at first.  But like “smart” cars, and “intelligent” appliances, pacemakers and other medical devices are becoming smarter, with the ability to connect to mobile devices and larger “mother ship” diagnostic and command systems.  This connectivity exposes a vulnerability. Without the necessary credentials, or a hack which bypasses or breaks this, someone can connect to online smart systems.

But there’s another wrinkle to this story that involves a merger between two of the largest healthcare device makers in the world: Abbott Healthcare and the Canadian St. Jude Medical (not to be confused with the renowned children’s research hospital in Memphis, Tennessee).

Troubling Times for St. Jude Prior to the Abbott Merger?

In negotiations for well over a year and completed on January 4, 2017, Abbott’s purchase of St. Jude served as a backdrop for the waves of problems St. Jude Pacemakers experienced with a large percentage of its devices, which came to a head in 2016.  Most surrounded compromised battery life, leading to an FDA recall in 2015. A year later, in August 2016, a lawsuit was filed against St. Jude alleging security vulnerabilities.

Abbott Pacemaker Recall

Now Abbott’s current pacemaker security vulnerabilities require a “firmware update” to address OS security. This was first reported to the public in August 2016, after it was detected internally several months earlier. The report outlined scenarios which could drain pacemaker battery life, allow attackers to change programmed settings, or even change the beats and rhythm of the device.

As negotiations of the Abbott merger continued building toward their January climax, in October 2016 the FDA issued its first, and narrower, St. Jude device security recall for removal from the medical marketplace – two months after the lawsuit was filed. This entire story has yet to play out.

But it is interesting when added to other problems with pacemakers – such as Medtronic’s $114 million settlement of a 2014 product liability lawsuit for injuries caused by some of its malfunctioning units.  Collectively, the issue of safe pacemakers and other medical devices should give us cause for pause. And as technology and connectivity roll on, we must consider the ultimate cost when things go wrong.

To schedule a free consultation regarding a pacemaker failure with Terry Bryant Accident & Injury Law, contact us today by filling out our online contact form or giving us a call at (800) 444-5000 or locally in the Houston area at (713) 973-8888.