In a strongly-worded letter last week, the federal Food and Drug Administration issued a warning to medical device company Abbott Laboratories regarding defective heart defibrillators and a medical monitoring device with potential vulnerabilities to hackers.
The issues are centered around three implantable defibrillators: the Fortify ICD, the Quadra Assura MPTM CRT-D, and the Unify CRT-D. In addition, the Merlin@HomeTM Transmitter, a heart monitor that sends information over the company’s Merlin.NetTM Patient Care Network was also the target of FDA concern. All of the devices in question are produced by St. Jude Medical, which was taken over by Minneapolis-based Abbott earlier this year.
According to the letter, the defibrillators, which won FDA approval in 2010, are subject to premature battery depletion. The FDA issued a warning last October, listing several models. These devices, which implanted under the skin with insulated wires leading to the heart muscle, are designed to regulate heart rate, providing shocks to the heart when needed.
They are powered by lithium batteries that were found to have a defect, causing the battery to drain within as little as 24 hours after implantation. So far, these have been responsible for at least two deaths and forty-seven adverse events. As of the time of that warning, nearly 350,000 of the affected devices had been sold around the world.
St. Jude Medical issued a recall for the affected devices shortly after the FDA warning was published.
In January, the FDA identified “cybersecurity vulnerabilities” with both the cardiac devices and the Merlin@Home Transmitter, which could leave them open to intrusions and exploits. This issue has become of increasing concern as modern medical devices are interconnected with health care networks and a range of devices over the World Wide Web.
Although no problems have been reported, there is a high potential that a hacker could alter the settings of an implanted heart monitor, thus putting a patient in jeopardy. Since then, St. Jude Medical has reported the development of a software patch to address the problem. However, the FDA says the company has failed to prove the effectiveness of this fix. In response to the FDA’s warning on the heart monitors, parent company Abbott Laboratories stated that they take patient safety seriously, and has defended its record.
Before its acquisition and merger with Abbott, St. Jude Medical likewise defended its products, even to the point of filing a defamation lawsuit against product critics. According to the Minneapolis Star Tribune, St. Jude Medical recalled the defibrillators on October 11 of last year, but that seven of them were given to patients in the two-week period that followed. Even though that was prior to its acquisition by Abbott Laboratories, the FDA’s concerns could hamstring the approval process for the company on new defibrillator products going forward if these concerns are not addressed to the agency’s satisfaction.