The U.S. Food and Drug Administration issued a warning on the cybersecurity vulnerabilities of certain Abbott Laboratories implantable cardiac devices. It is possible to exploit the vulnerabilities of the device and alter its function. Affected devices include certain implantable cardiac defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds). The Current, Ellipse, Fortify, Promote, Quadra and Unify families of products are also affected. No vulnerabilities have been found on pacemakers or cardiac resynchronization pacemakers (CRT-Ps).
An attacker can exploit the vulnerabilities by using commercially available equipment to send commands to the devices via radio frequencies. But the attacker must be in close proximity to the device in order to change its function. In case an attacker alters the function of the devices, the following effects are possible:
- delivery of the wrong packing and shocks
- premature depletion of the battery
- cause harm to the patients
Abbott Laboratories already addressed the vulnerabilities by coming up with a firmware update. The FDA has reviewed the update and confirmed the mitigation of vulnerabilities and the reduction of potential risk or harm to a reasonable level. With the installation of the update, before any device can connect to the ICD or CRT-D and make changes, it must provide an authentication.
In a recent press release of Abbott Laboratories, the company reported that no exploitation of vulnerabilities has ever occurred and that the update is actually part of a planned series of updates to strengthen cybersecurity. Aside from requiring authentication, the update also included the correction of an issue with the lithium ion batteries that cause its rapid depletion. The problem with the batteries has nothing to do with malicious actors. The problem is due to the formation of lithium deposits that result to abnormal electrical connections. Another feature of the update is the battery depletion alert. In case of rapid battery depletion, the device will advise the patient to visit his physician immediately.
Updating the firmware remotely is not possible. Hence, the patient must see their provider to update their ICD or CRT-D. It only takes about 3 minutes to update the device. While updating, the device will be in backup VVI mode; high voltage therapy is temporarily disabled and no pacing will be delivered for 3 seconds.
There is a very low risk of the device malfunctioning when updating its firmware or software. In 0.62% of cases, the update was not fully applied; but Technical Services can quickly resolve the issue. A programmer update has been provided to keep update errors to a minimum.
Not all devices can be updated, but Abbott Laboratories already offered a fix that requires disabling the RF functionality via the Merlin@home programmer. This fix will prevent exploitation of the vulnerabilities, but the device cannot send data directly to the doctor’s office. FDA’s recommendation is not to disable the RF functionality.