By Peter Loftus
A new software patch to fix a cybersecurity weakness in hundreds
of thousands of implanted heart devices has raised a dilemma among
doctors and patients: Is the fix worth the risk?
The software update that Abbott Laboratories released in late
August is supposed to reduce the risk that someone with malicious
intent could gain unauthorized remote access to a patient's
pacemaker. Abbott issued the update after outside security
researchers identified vulnerabilities in the devices.
But Abbott has said the update itself -- administered in a
doctor's office or hospital -- carries a slight risk of causing a
malfunction in the pacemakers, which are implanted in patients'
chests to correct abnormal heart rhythms.
The dilemma underscores the limits of technology as medical
devices increasingly are connected to the internet. The connections
help doctors remotely catch problems that might otherwise go
undetected -- such as irregular heart rhythm or dwindling battery
life -- but they theoretically can expose devices to hackers. And
yet, when companies offer fixes, the decision to adopt them isn't
easy.
There are no known reports of patients being harmed by hacking
of the pacemakers, according to the U.S. Food and Drug
Administration. A hacker would have to be within close proximity to
a person to gain unauthorized access, said Mike Kijewski, chief
executive of MedCrypt, a device-security firm.
Since Abbott released the software update, the FDA has received
at least 12 reports claiming malfunctions of pacemakers during the
updates, according to a review by The Wall Street Journal of the
agency's database of medical-device adverse events. Several of the
reports say the pacemaker went into backup-pacing mode during the
update, and in some cases the update wasn't successfully completed.
In backup mode, the pacemaker switches to a fixed default rhythm
rather than one customized for that patient.
None of the reports cited any serious harm to patients.
Abbott spokeswoman Candace Steele Flippin said the company
wasn't aware of any reports of patient harm from the updates. The
company designed the update so that pacemakers would temporarily
operate in backup- pacing mode, with life-sustaining features
remaining available, and revert to pre-update settings once it is
complete. She said Abbott is committed to keeping the devices
secure, and encourages patients to discuss the risks and benefits
with their doctors to decide if the update is appropriate.
Suzanne B. Schwartz, associate director for science and
strategic partnerships at the FDA, said in an interview the
cybersecurity vulnerabilities in the Abbott devices posed an
"unacceptable" risk, and the agency felt strongly that the company
make a fix available. She said the FDA isn't in a position to
mandate that patients get the updates, but she cautioned against
doctors assuming that the risk of hacking is so low that the update
isn't worth it.
The Abbott pacemakers in questions are implanted in about
465,000 people in the U.S.
Some doctors and institutions, such as the cardiology department
at NewYork-Presbyterian/Weill Cornell Medical Center, aren't
recommending the Abbott software update. "It's not really a risk
we're willing to take at this point," said Bruce Lerman, chief of
cardiology at the hospital. "We don't feel the benefit at this
point necessarily outweighs the potential risk of uploading this
software."
Cybersecurity researchers have identified weaknesses in other
medical devices in recent years, including infusion pumps made by
Pfizer Inc.'s Hospira unit and insulin pumps from Johnson &
Johnson's Animas unit
There were no known reports of these devices being hacked,
according to an arm of the Department of Homeland Security that
monitors cyberthreats.
In 2007, doctors disabled the wireless features of then-Vice
President Dick Cheney's implanted heart device to guard against an
attack by a hacker, according to "Heart," a book Mr. Cheney
co-wrote with his doctor.
Doctors are in a tough spot because most have less experience
assessing cybersecurity risks than traditional medical risks. "It's
really the first time this has come to a head, where there is this
need for doctors to start making this decision about whether they
should fix cyber-threats in something when it poses a safety risk
for patients," said Stephanie Domas, lead medical security engineer
with Battelle, a nonprofit research-and-development institute in
Columbus, Ohio.
Abbott declined to say how many patients have received the
cybersecurity update.
The update, designed to ward off hacking, was for a type of
software known as firmware. Abbott acquired the pacemakers with its
purchase of St. Jude Medical this year, and they include the brands
Anthem and Accent.
The FDA said in August that vulnerabilities in the pacemakers
could allow an unauthorized user to modify program commands, which
could hurt patients by causing rapid battery depletion or
inappropriate pacing.
The Abbott software update takes a few minutes. It involves a
doctor or technician placing a tethered wand over the site of the
pacemaker.
Abbott said the update can cause malfunctions including loss of
programmed device settings or complete loss of function in well
below 1% of patients. This could be serious for patients whose
underlying heart disorder is severe enough to require frequent
assistance from the pacemaker. Abbott said any "pacing dependent"
patients getting the update should be in a facility with backup
pacing equipment.
Steven L. Zweibel, director of electrophysiology at Hartford
Hospital in Hartford, Conn., said his hospital isn't recommending
the update, but would consider changing that advice if more
evidence emerged that the risk of hacking was greater.
"If there's a patient dependent on the device and it loses
functionality because of a firmware update, you now take this
patient who was doing just fine, who had a one-in-a-billion chance
of having their device hacked, now you've done some harm to them,"
Dr. Zweibel said.
Some doctors who don't think the software update is necessary
say they're avoiding bringing it up with patients. John Mandrola, a
cardiac electrophysiologist in Louisville, Ky., said he would
discuss the update only if patients ask about it. One patient
called recently to do so, and was OK with his recommendation
against the update, he said.
John Lando, a retired communications worker in Deer Park, N.Y.,
has one of the Abbott pacemakers and got the software update.
Mr. Lando said he thinks the risk that his pacemaker would be
targeted by a hacker is low. Still, he said, "I'd rather be safe
than sorry, and I don't worry about patches and all that, so I
said, 'Do it.'" It was over in minutes, and his device didn't
malfunction.
Write to Peter Loftus at peter.loftus@wsj.com
(END) Dow Jones Newswires
October 20, 2017 05:44 ET (09:44 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.
Abbott Laboratories (NYSE:ABT)
Historical Stock Chart
From Feb 2024 to Mar 2024
Abbott Laboratories (NYSE:ABT)
Historical Stock Chart
From Mar 2023 to Mar 2024