Positive: Quality
Frank Demarco
2 years ago
The U.S. Food and Drug Administration has issued a Class I Recall on certain cardiac devices manufactured by St. Jude Medical Inc. The recall, reported on by CSO, addresses battery issues and potential cybersecurity vulnerabilities in certain implantable cardioverter defibrillators. Implantable cardioverter defibrillators (ICDs) are implanted in patients who have irregular heart rhythm and are […]
The U.S. Food and Drug Administration has issued a Class I Recall on certain cardiac devices manufactured by St. Jude Medical Inc. The recall, reported on by CSO, addresses battery issues and potential cybersecurity vulnerabilities in certain implantable cardioverter defibrillators.
Implantable cardioverter defibrillators (ICDs) are implanted in patients who have irregular heart rhythm and are at risk for cardiac arrest. The device, which is implanted in the chest area, monitors patient heartbeats and sends electrical pulses to the heart when it detects irregularities. If the patient goes into cardiac arrest, the device can also deliver a powerful shock to restore heart rhythm.
Many ICDs on the market are manufactured by St. Jude Medical Inc. (now Abbott). The devices run on lithium batteries and are designed to last several years without replacement. In 2016, the FDA became aware that certain ICDs manufactured by St. Jude/Abbott between January 2010 and May 2015 were experiencing battery issues. The batteries in devices manufactured during these years have the potential to develop lithium deposits that can cause the batteries to short circuit and deplete. Patients with affected batteries might experience full power depletion in as little as 24 hours.
Since first becoming aware of the battery issues, the FDA has approved and initiated several steps to try to protect patients, the newest of which took place on April 17. In addition, the FDA has become involved with fixes to cybersecurity risks in St. Jude cardiac devices.
On April 17, 2018, the FDA released a “corrective action” related to St. Jude ICDs and St. Jude Cardiac Resynchronization Therapy Defibrillators ((CRT-D) electrical devices that synchronize beating in both chambers of the heart). The FDA stated that its corrective action was designed to operate as a recall addressing two issues related to St. Jude/Abbott ICDs and CRT-Ds: (1) battery performance and (2) cybersecurity issues.
In many recalls, patients or consumers discard, remove, or discontinue use of the affected products. However, it is considered more dangerous for cardiac patients to have their defibrillators removed. Instead, patients with affected devices will visit their physicians to have updates installed on their devices that address the two issues covered in the recall. The manufacturer created this update, called a “firmware update,” and it can be installed in approximately three minutes in a physician’s office.
Patients with St. Jude ICDs or CRT-Ds manufactured between January 2010 and May 2015 will need to receive the firmware update to address battery performance. The only way to completely address the batteries themselves is removal and replacement of the devices. That procedure is not recommended prophylactically, however, so the FDA and manufacturer have worked to release a system that will better notify patients if their devices’ batteries are depleting.
The firmware update installs a Battery Performance Alert developed by Abbott. This alert involves notification to both patients and their physicians when batteries start to drain. Patients will receive a vibratory alert, meaning they will feel a distinct vibration from the device if their batteries are depleting. Patients who feel the vibration alert then need to schedule an appointment with their physicians as soon as possible.
Devices affected by this part of the FDA’s corrective action include (all from years 2010 to 2015):
Abbott’s Battery Performance Alert expands on an alert it released in August 2017 to address depletion issues. This alert was automatically installed on patients’ home monitoring systems (called “Merlin@home”) and alerted their physicians if any irregularities were detected in battery performance. Physicians who received alerts could then contact their patients to schedule appointments.
St. Jude ICDs and CRT-Ds are enabled with radio frequency that allows data from the devices to be read by patients and physicians and then transmitted to physicians’ offices. Each device contains a computer system that logs and transmits data so that patients can monitor their devices at home and physicians can receive important information about their patients’ device function.
However, review of the wireless systems in and connected to the devices confirmed certain vulnerabilities to cyberattacks. Because of these vulnerabilities, patients’ devices could be intercepted by unauthorized users (non-physician hackers) and manipulated in ways that could affect patient safety. Unauthorized users could trigger rapid battery depletion (not associated with lithium deposits) or send inappropriate pulsing to patients’ devices. They could also interfere with information collected or sent to physicians.
The firmware update addresses these issues by installing heightened security features to protect patients from cyber threats. Abbott believes these updates close off security vulnerabilities that could be exploited through the patients’ wireless radio frequency communications. The ICD and CRT-D devices to which the cybersecurity update applies include (all radio frequency enabled):
This security firmware update expands upon a software security patch released by Abbott in January 2017. This patch addressed security issues with the Merlin@home system and applied to all St. Jude implantable cardiac devices, not just ICDs and CRT-Ds. Abbott automatically downloaded the patch onto Merlin@home Transmitters to prevent cyber threats targeted at the data stored, read, and transmitted through the system.
Of note, Abbott and the FDA have not identified any known cyberattacks to the Merlin@home system or to individual cardiac devices. The updates are designed to protect patients from known vulnerabilities that could be used to inappropriately interfere with the systems and devices.
More battery-related cases: Battery Defect Lawyers
The firmware update to install the Battery Performance Alert and the security features must take place inside a physician’s office. The FDA recommends that all patients with affected devices make appointments with their physicians as soon as possible to install the updates.
The update process will take approximately three minutes, during which patients’ devices will be placed in “backup VVI mode.” The backup mode provides for pacing of 67 beats per minute and disables high-voltage therapy. Some patients have reported discomfort while in backup mode. The FDA and Abbott indicate that there is some risk that the update will fail, but the physician can return the device to its previous firmware and seek assistance from a Technical Services representative to complete the update.
Some devices, including those in the Current and Promote brand lines, cannot be updated. Technology limitations make these devices incapable of accepting the update. Current and Promote devices were not affected by the battery depletion issues, however, and patients with these devices can contact their physicians to discuss the possibility of disabling wireless radio frequency communication on their devices. The FDA does not recommend disabling of wireless communication for most patients.
Parker Waichman LLP is investigating and litigating cases against St. Jude/Abbott related to battery and security issues with its cardiac devices. If you have experienced an issue with your St. Jude ICD or CRT-D, contact our offices to discuss your potential case with an experienced medical device attorney. You can reach us 24 hours a day by calling 1-800-YOURLAWYER (1-800-968-7529) today or by filling out our online form.