Cybersecurity Update | St. Jude Medical

Cybersecurity: Your Safety Is Our Top Priority

The values of patient safety and integrity long associated with healthcare require a strong focus on cybersecurity to protect the promises inherent in an interconnected, data-driven healthcare model. At Abbott, we create and provide products, devices, and systems that help people live their best lives through good health. Our goal is to ensure our devices, products, and systems meet the highest security standards and that commitment governs how we approach cybersecurity across our business.

April 16, 2018 Cybersecurity ICD AND CRT-D Firmware Release Update

Abbott released a planned upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices. This firmware upgrade incorporates two updates to improve performance and strengthen the security of these devices. These updates are part of Abbott’s ongoing commitment to continuously improve patient care.

What is the purpose of the new update?
The ICD and CRT-D firmware upgrade incorporates two updates designed to strengthen the security and improve the performance of your ICD or CRT-D. The security update provides an additional layer of protection against unauthorized access to your device. It is intended to prevent anyone other than your doctor from changing your device settings. Abbott has had no reports of hacking or unauthorized access to any patient’s implanted device.

What do I need to know about the update process?
Abbott’s recommendation, and that of our Medical Advisory Boards, is that you have a conversation with your physician to determine if the firmware upgrade is right for you. If you and your physician decide that it is, the firmware upgrade can be performed during your next regularly scheduled in-office visit, or whenever you and your physician deem appropriate. During the upgrade a wand will be placed over your ICD or CRT-D and will transfer the information to the device. At the end of the process, the final settings on your device will be reviewed to ensure that the updates have been completed successfully. The upgrade process takes approximately three minutes to complete.

How likely is it that someone could gain unauthorized access to my device?
We have received no reports of unauthorized access to any patient’s implanted device. As with the previous pacemaker updates, the U.S. Department of Homeland Security reports compromising the security of these devices would be extremely difficult and require a high level of expertise.

Does this mean I should have my ICD or CRT-D removed?
No, Abbott and the U.S. Food and Drug Administration do not recommend replacement of implanted defibrillator devices as a result of these updates. Your ICD or CRT-D remains fully effective for pacing and defibrillation, as designed.

To help keep you informed, the patient guide below provides additional responses to Frequently Asked Questions (FAQ) related to the ICD and CRT-D firmware upgrade. In addition, if you have any further questions, please contact our dedicated customer technical support hotline at 1‐800‐436‐5056 (U.S.).

Patient Guide FAQ: ICD and CRT-D Firmware Upgrade – April 2018 (64kb)

August 29, 2017 cybersecurity pacemaker firmware release update

Abbott released an update to its implantable pacemakers as part of its ongoing commitment to continuously improve patient care. This planned update to pacemaker firmware (a kind of software) adds additional security protections designed to reduce the risk of unauthorized access to patients' pacemakers.

Speak to your physician to see if this update is right for you.

What you need to know about the pacemaker firmware update

Firmware is a kind of software that is embedded in the hardware of the pacemaker device. Technological devices that use software, such as that in your pacemaker, require updates from time to time.

The update contains a software release that includes data encryption, operating system patches, and the ability to disable network connectively features, in addition to the firmware update.

The pacemaker devices to which this update applies include the RF telemetry versions of the following devices in the U.S.: Accent SR RF™, Accent MRI™, Assurity™, Assurity MRI™, Accent DR RF™, Anthem RF™, Allure RF™, Allure Quadra RF™, and Quadra Allure MP RF™.

Every pacemaker manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device and those devices will not need to be updated. Based on Abbott's consultation with U.S. Food and Drug Administration (FDA), this update is being treated as a field action; however, the devices continue to function as intended and replacement of implanted pacemaker devices is not recommended.

How likely is it that someone could gain unauthorized access to my device?
We have received no reports of unauthorized access to any patient’s implanted pacemaker. According to the advisory issued by the U.S. Department of Homeland Security, compromising the security of these devices would require a highly complex set of circumstances. ^[1]

Does this mean I should have my pacemaker removed?
No, preventative replacement is not necessary or recommended. Your pacemaker remains fully effective for providing pacing, as designed.

Should I continue to use my home monitor?
Yes, you should continue to use your Merlin@home™ device as it allows your physician to more frequently receive, assess, and monitor your device’s function.

What are the risks associated with the Getting the pacemaker firmware update?
We are anticipating the update will occur as planned. However, as with any firmware update, there is a very low rate of malfunction resulting from the update. We encourage you to discuss the risks and benefits of receiving the update with your doctor.

What you need to do if you decide to get a firmware update

Please read this patient guide to learn more about the pacemaker firmware update, Abbott’s cybersecurity protocols, and protections that are already in place for our devices.
As always, you should discuss the risks and benefits of any medical procedure with your doctor.
If you have any further questions about the pacemaker firmware update, please contact our dedicated hotline at 1-800-722-3774 (U.S.).

Additional Resources

For additional information on Abbott’s cybersecurity protocols, and protections that are already in place for our devices, please read our commitment to cybersecurity.

Patient Guide FAQ: New Pacemaker Firmware Update - August 2017 (69kb)

[1] Refer to the ICS‐CERT Communication ICSMA‐17‐241‐01 Abbott Laboratories Accent/Anthem Accent MRI Assurity/Allure and Assurity MRI Pacemaker Vulnerabilities

January 9, 2017 cybersecurity release update

As part of our commitment to continuous improvement, on January 9, 2017, St. Jude Medical announced that it is now deploying the latest release of cybersecurity updates for its Merlin remote monitoring system that is used with implantable pacemakers and defibrillator devices. We collaborated with the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security’s ICS-CERT unit on these updates. The improvements include security updates that complement the company’s existing security measures and further reduce the extremely low cybersecurity risks.

About the Improvements
We released the latest software update to Merlin@home™ on January 9, 2017, and have continued to make available new pacemaker firmware as of August 29, 2017. The update includes additional validation and verification between Merlin@home™ devices and Merlin.net.

What Patients Should Do
As is always recommended, patients should make sure that their Merlin@home™ unit is plugged in and connected via landline, cellular adapter, or Ethernet/Wi-Fi so they can receive these and any future security updates. Patients do not need to do anything else to enable their Merlin@home™ units to receive updates. They should continue with existing use of Merlin@home™ devices as instructed by their physicians. Patients with any questions should reach out to their physicians. They can also call the Merlin hotline at +1-877-MY-MERLIN (+1-877-696-3754).

Benefits of Remote Monitoring
Remote monitoring ensures important device information is available to healthcare providers quickly so physicians can consider adjustments to medications or recommend other clinical intervention. Multiple studies continue to prove the positive impact of remote monitoring. In fact, remote monitoring has become the recommended standard of care over the past decade.

Our Commitment
At St. Jude Medical, the safety and security of patients is always our primary focus. St. Jude Medical has taken, and will continue to take, appropriate steps to ensure the continued safety, security and effectiveness of its devices. The company will continue to work with our Cyber Security Medical Advisory Board, FDA, DHS ICS-CERT, security researchers, physicians and others in the industry in a coordinated way to develop best practices and standards that further enhance the security of devices across the medical industry.

Learn more about our commitment to product and patient safety.

Additional Resources

Merlin@home™ System Patient Fact Sheet - St. Jude Medical January 9 Cybersecurity Release Update (97kb)

Getting the Most Out of Remote Monitoring