Factors Influencing the Decision to Proceed to Firmware Upgrades to Implanted Pacemakers for Cybersecurity Risk Mitigation
In August of 2017, the first major recall for cybersecurity vulnerabilities in pacemakers capable of remote connectivity was released that affected 465 000 US patients.1,2 The US Food and Drug Administration approved a firmware update designed by the manufacturer of the devices as a remediation (Abbott, formally St Jude Medical). The recall was in response to the public disclosure of vulnerability by an investment firm and produced in a laboratory environment that could allow an unauthorized party in close proximity to a patient to impact the performance of the device or modify device settings through radiofrequency communication.3 Although an exploit has not occurred in a patient and requires a high degree of resources and skill to execute, if accomplished, it could pose a significant risk to device safety and essential performance and cause patient harm. The Food and Drug Administration defines this as an uncontrolled vulnerability.2 The recall recommendations were coordinated among three parties: the Food and Drug Administration, the Industrial Control Systems Cyber Emergency Response Team—a division of Homeland Security that responds to and coordinates disclosure of critical infrastructure cybersecurity vulnerabilities—and Abbott.1 All parties urged caution and shared decision making between patient and clinician as to whether to have the device firmware update, a process that requires a clinic visit to implement with a device programmer. The manufacturer bench tested the firmware update, but the only prior experience with an implanted device firmware update was a 2012 implantable cardioverter defibrillator firmware update that demonstrated a 0.197% risk of device backup mode pacing after the upgrade was performed.
To evaluate the response to the recall, we analyzed remotely collected data from the week of December 10 to 16, 2017, from patient data stored in Abbott’s Merlin.net database of cardiac rhythm management devices that transmit implanted device data using a home communicator.
A total of 26 468 patients transmitted data and 10 854 patients (41%) were identified who had a clinic visit subsequent to the recall notification (age 79±11 years, 55% male, mean device implant time 3±2 years). A total of 2694 (25%) had the firmware upgrade performed. The majority of pacemakers were dual-chamber pacemakers (81%), the remaining were cardiac resynchronization pacemakers and single-chamber ventricular pacemakers (11%, 8%), and 19% of patients were pacemaker dependent. Institutional review board approval was not required for this study. Remote monitoring data were obtained from the manufacturer that has data use agreements in place with device centers for patient remote monitoring.
Patient factors associated with performing the firmware upgrade included younger age, male sex, and residence in the southern or midwestern United States. Newer implants and pacemakers versus cardiac resynchronization devices were also more likely to be upgraded. Pacemaker-dependent patients were less likely to be upgraded (Table). Backup mode pacing was observed in 1% of upgraded patients and was resolved in all with reprogramming. There was no failure to pace observed.
|Patient and Device Characteristics||Firmware Upgrade, % (n/N)||P Value*|
|>30, ≤40||22 (10/45)|
|>40, ≤50||36 (29/81)|
|>50, ≤60||26 (113/428)|
|>60, ≤70||27 (401/1496)|
|>70, ≤80||27 (953/3568)|
|>80, ≤90||24 (968/4016)|
|Time from pacemaker implant, y||<0.001|
|>1, ≤2||26 (586/2236)|
|>2, ≤3||26 (464/1792)|
|>3, ≤4||23 (313/1364)|
|>4, ≤5||20 (206/1014)|
|>5, ≤6||26 (199/775)|
|>6, ≤7||20 (147/734)|
|>7, ≤8||19 (101/520)|
|>8, ≤9||12 (15/121)|
|Pacemaker versus resynchronization device||<0.001|
|Single-chamber ventricular||27 (227/834)|
|Dual chamber||25 (2248/8840)|
|Cardiac resynchronization||19 (219/1180)|
This analysis indicates that most patients and clinicians impacted by a cybersecurity recall react conservatively to the potential risk of an exploit and do not elect to have a firmware update but do continue to use remote connectivity for device transmissions. The advisory recall notifications did not provide patient- or device-specific recommendations, other than to have temporary pacing capability present at the time of the upgrade for pacemaker-dependent patients. This analysis indicates that younger male patients with more recent implants were more likely to have the firmware upgrade. Because men and women were equally represented, it is unclear why men were upgraded more. This is consistent with other reports demonstrating that women are offered cardiovascular testing and therapies less often than men.4 The decision to upgrade younger patients and newer implants may be based on reasoning that they face greater exposure to risk, because the devices are expected to last 5 to 10 years. The reason that upgrades occurred more in the specific regions of the country is unclear and may be related to factors such as more intensive manufacturer representative communication or specific geographical considerations for patients and their access to healthcare providers. The finding that pacemaker-dependent patients were upgraded less often indicates the concern that essential functions like pacing could be disabled. It is unclear why patients with cardiac resynchronization devices were upgraded less often; it may be that there is a lower level of clinical concern for cyber intrusions for patients who receive devices for heart failure versus bradycardia indications. As experience accumulates with firmware upgrades, these differences may diminish and clinicians and patients may elect to proceed with prophylactic firmware upgrades. It is important that the manufacturing, governmental, and clinical communities continue to track and monitor connected devices subject to firmware upgrades to help inform recall recommendations, to monitor device performance, and to help inform clinical recommendations. This is especially true as more and more diagnostic and therapeutic implantable devices are connected to the Internet and, in particular, as additional connected device and software services are offered and approved by the Food and Drug Administration for patient monitoring and management.5
Sources of Funding
Abbott supported the data query of the remote monitoring database with Abbott personnel.
All authors are paid members of the Abbott Cybersecurity Medical Advisory Board.
- 1. US Food and Drug Administration. Cybersecurity vulnerabilities identified in St. Jude Medical’s implantable cardiac devices and Merlin@home transmitter/firmware update to address cybersecurity vulnerabilities identified in Abbott’s (formerly St. Jude Medical’s) implantable cardiac pacemakers: FDA Safety Communication.U.S. Food and Drug Administration. 2017. https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm553873.htm. Accessed October 26, 2017.Google Scholar
- 2. Postmarket Management of Cybersecurity in Medical Devices. Guidance for Industry and Food and Drug Administration Staff. Silver Spring, MD: US Food and Drug Administration; 2016. https://www.fda.gov/downloads/Medi-calDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf. Accessed August 17, 2017.Google Scholar
- 3. Muddy Waters Capital, LLC. MW is Short St. Jude Medical (STJ:US). Muddy Waters Research.2016. http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/.Google Scholar
Garcia M, Mulvagh SL, Noel C, Merz B, Buring JE, Manson JE. Cardiovascular disease in women: clinical perspectives.Circ Res. 2016; 15:1273–1293. doi: 10.1161/CIRCRESAHA.116.307547LinkGoogle Scholar
- 5. US Food and Drug Administration. Digital health innovation action plan.US Food and Drug Administration. https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM568735.pdf. Accessed January 5, 2018.Google Scholar