Skip main navigation

Factors Influencing the Decision to Proceed to Firmware Upgrades to Implanted Pacemakers for Cybersecurity Risk Mitigation

Originally published 2018;138:1274–1276

In August of 2017, the first major recall for cybersecurity vulnerabilities in pacemakers capable of remote connectivity was released that affected 465 000 US patients.1,2 The US Food and Drug Administration approved a firmware update designed by the manufacturer of the devices as a remediation (Abbott, formally St Jude Medical). The recall was in response to the public disclosure of vulnerability by an investment firm and produced in a laboratory environment that could allow an unauthorized party in close proximity to a patient to impact the performance of the device or modify device settings through radiofrequency communication.3 Although an exploit has not occurred in a patient and requires a high degree of resources and skill to execute, if accomplished, it could pose a significant risk to device safety and essential performance and cause patient harm. The Food and Drug Administration defines this as an uncontrolled vulnerability.2 The recall recommendations were coordinated among three parties: the Food and Drug Administration, the Industrial Control Systems Cyber Emergency Response Team—a division of Homeland Security that responds to and coordinates disclosure of critical infrastructure cybersecurity vulnerabilities—and Abbott.1 All parties urged caution and shared decision making between patient and clinician as to whether to have the device firmware update, a process that requires a clinic visit to implement with a device programmer. The manufacturer bench tested the firmware update, but the only prior experience with an implanted device firmware update was a 2012 implantable cardioverter defibrillator firmware update that demonstrated a 0.197% risk of device backup mode pacing after the upgrade was performed.

To evaluate the response to the recall, we analyzed remotely collected data from the week of December 10 to 16, 2017, from patient data stored in Abbott’s database of cardiac rhythm management devices that transmit implanted device data using a home communicator.

A total of 26 468 patients transmitted data and 10 854 patients (41%) were identified who had a clinic visit subsequent to the recall notification (age 79±11 years, 55% male, mean device implant time 3±2 years). A total of 2694 (25%) had the firmware upgrade performed. The majority of pacemakers were dual-chamber pacemakers (81%), the remaining were cardiac resynchronization pacemakers and single-chamber ventricular pacemakers (11%, 8%), and 19% of patients were pacemaker dependent. Institutional review board approval was not required for this study. Remote monitoring data were obtained from the manufacturer that has data use agreements in place with device centers for patient remote monitoring.

Patient factors associated with performing the firmware upgrade included younger age, male sex, and residence in the southern or midwestern United States. Newer implants and pacemakers versus cardiac resynchronization devices were also more likely to be upgraded. Pacemaker-dependent patients were less likely to be upgraded (Table). Backup mode pacing was observed in 1% of upgraded patients and was resolved in all with reprogramming. There was no failure to pace observed.

Table. Patient and Device Predictors of Firmware Upgrade

Patient and Device CharacteristicsFirmware Upgrade, % (n/N)P Value*
Age, y<0.001
≤3016 (10/61)
 >30, ≤4022 (10/45)
 >40, ≤5036 (29/81)
 >50, ≤6026 (113/428)
 >60, ≤7027 (401/1496)
 >70, ≤8027 (953/3568)
 >80, ≤9024 (968/4016)
 >9018 (210/1159)
 Male25 (1183/4676)
 Female23 (901/3900)
 South/Midwest29 (1945/6614)
 Northeast/West18 (746/4234)
Time from pacemaker implant, y<0.001
 ≤129 (663/2298)
 >1, ≤226 (586/2236)
 >2, ≤326 (464/1792)
 >3, ≤423 (313/1364)
 >4, ≤520 (206/1014)
 >5, ≤626 (199/775)
 >6, ≤720 (147/734)
 >7, ≤819 (101/520)
 >8, ≤912 (15/121)
Pacemaker versus resynchronization device<0.001
 Single-chamber ventricular27 (227/834)
 Dual chamber25 (2248/8840)
 Cardiac resynchronization19 (219/1180)
Pacemaker dependent<0.001
 Yes19 (2138/7815)
 No27 (332/1852)

2 test was used to calculate the P values.

This analysis indicates that most patients and clinicians impacted by a cybersecurity recall react conservatively to the potential risk of an exploit and do not elect to have a firmware update but do continue to use remote connectivity for device transmissions. The advisory recall notifications did not provide patient- or device-specific recommendations, other than to have temporary pacing capability present at the time of the upgrade for pacemaker-dependent patients. This analysis indicates that younger male patients with more recent implants were more likely to have the firmware upgrade. Because men and women were equally represented, it is unclear why men were upgraded more. This is consistent with other reports demonstrating that women are offered cardiovascular testing and therapies less often than men.4 The decision to upgrade younger patients and newer implants may be based on reasoning that they face greater exposure to risk, because the devices are expected to last 5 to 10 years. The reason that upgrades occurred more in the specific regions of the country is unclear and may be related to factors such as more intensive manufacturer representative communication or specific geographical considerations for patients and their access to healthcare providers. The finding that pacemaker-dependent patients were upgraded less often indicates the concern that essential functions like pacing could be disabled. It is unclear why patients with cardiac resynchronization devices were upgraded less often; it may be that there is a lower level of clinical concern for cyber intrusions for patients who receive devices for heart failure versus bradycardia indications. As experience accumulates with firmware upgrades, these differences may diminish and clinicians and patients may elect to proceed with prophylactic firmware upgrades. It is important that the manufacturing, governmental, and clinical communities continue to track and monitor connected devices subject to firmware upgrades to help inform recall recommendations, to monitor device performance, and to help inform clinical recommendations. This is especially true as more and more diagnostic and therapeutic implantable devices are connected to the Internet and, in particular, as additional connected device and software services are offered and approved by the Food and Drug Administration for patient monitoring and management.5


Data sharing: The data will not be made available to researchers as it is proprietary to the manufacturer and was specifically queried for the purposes of examining the response to the firmware update advisory. The methods are clearly stated in the article.

Leslie A. Saxon, MD, USC Center for Body Computing, 12015 Waterfront Drive, Los Angeles, CA 90094. E-mail



eLetters should relate to an article recently published in the journal and are not a forum for providing unpublished data. Comments are reviewed for appropriate use of tone and language. Comments are not peer-reviewed. Acceptable comments are posted to the journal website only. Comments are not published in an issue and are not indexed in PubMed. Comments should be no longer than 500 words and will only be posted online. References are limited to 10. Authors of the article cited in the comment will be invited to reply, as appropriate.

Comments and feedback on AHA/ASA Scientific Statements and Guidelines should be directed to the AHA/ASA Manuscript Oversight Committee via its Correspondence page.