What can medical device firms learn from a pacemaker recall?
On Monday, August 28, Abbott Laboratories announced a voluntary recall of pacemakers so the devices could undergo a firmware update. Impacting about 465,000 units, the recall demonstrates how pressing cybersecurity issues have become in medical product development. Keeping devices operating safely and protecting patient information are essential concerns for all healthcare providers and life sciences companies.
As the recall demonstrates, many firms are realizing the serious danger presented by devices that are not properly secured and taking action. Manufacturers must balance innovations in areas like human factors engineering with cautious attention to safeguarding against hacks. By prioritizing cybersecurity, makers of medical products are strategizing for the future of healthcare.
Catching potential issues early
The Abbott recall involved the Accent, Accent MRI, Accent ST, Allure, Anthem and Assurity pacemaker models, which were acquired by the firm in its merger with St. Jude Medical in January 2017. According to the Regulatory Affairs Professional Society, this is the second time the company has provided a cybersecurity update for the devices included in that deal. Immediately after the acquisition took place, Abbott released an update for Merlin@home devices, which send patient data from implantable pacemakers and defibrillators to healthcare providers.
" A vulnerability could allow an attacker to alter the device's pacing."
The reason behind the latest recall was a vulnerability that could allow an attacker to alter the device's pacing or cause the battery to run out more quickly. With the new firmware, the pacemakers will have limitations on wireless commands and will not receive unencrypted transmissions. All new devices produced as of late August included the new firmware.
Patients with the older devices were advised to consult with their doctors about whether they should visit to have the firmware update installed. Undergoing the change would not require physical removal of the pacemaker, but only a brief procedure. The process was expected to take about three minutes, with the pacemakers continuing to run in backup mode.
Modern Healthcare noted that Abbott's actions in addressing the problem was representative of a larger shift in the medical device industry. Privacy and cybersecurity consultant Mac McMillan commented on the need to adjust operations to meet the challenges of an increasingly connected world.
"If device makers didn't already have developers sitting around looking at cybersecurity, they now have to incur the costs of making sure their devices stay current," he said. "In the past, they've developed devices and put them on the market and moved onto the next device. This is a new thing for them."
FDA calls for improvements in cybersecurity
The move toward increased attention to cybersecurity is in line with guidance from the U.S. Food and Drug Administration. In December 2016, the agency issued a document calling for manufacturers to address vulnerabilities for a device's entire lifecycle, from the product development process through ongoing maintenance. The guidelines provided a framework for manufacturers to consider when the risks warrant reporting to the FDA and when updates could be considered routine enhancements.
Representatives from the agency have met with manufacturers to discuss how to move forward with products that are safe from unauthorized intrusions. Dr. Suzanne Schwartz, the associate director for science and strategic partnerships at the FDA Center for Devices and Radiological Health, attended September's Healthcare Security Forum in Boston. As reported by Healthcare IT news, she emphasized the importance of collaboration between private firms and regulators in catching threats and addressing them proactively.
"Many vulnerabilities are identified later on, during the use of the device," Schwartz said. "The key is to have a process in place to share that information."
Innovating with an eye to safety
Healthcare professionals and patients rely on medical products to function correctly and ward off any dangers. As it becomes more common for devices to share data and send commands through wireless connections, it will only grow more important for medical product manufacturers to take cybersecurity into consideration. Even in cases like Abbott's pacemakers, where there were no known attacks and exploiting the vulnerability would require a high level of skill, it's vital to minimize risks.
Future medical product design and development will make cybersecurity a primary concern. Firms committed to staying on the cutting-edge of innovation must focus on consistently building powerful protections into devices, stopping hacks before they happen.
