FDA Sends Warning Letter to Abbott Labs About Cyber FlawsAgency Says Manufacturer Must Fix Cardiac Device Problems
The Food and Drug Administration has sent a letter to Abbott, warning the medical device maker that it must submit a plan within 15 days to address previously identified cybersecurity vulnerabilities and other potential safety issues in certain cardiac devices of St. Jude Medical, which Abbott Labs acquired in January.
The April 12 letter notes that during an FDA inspection that took place Feb. 7 to Feb. 17 at former St. Jude Medical facilities located in Sylmar, Calf., the company failed "to establish and maintain procedures for implementing corrective and preventive actions" for a variety of issues related to device batteries and cybersecurity vulnerabilities that potentially pose safety risks.
In a statement to Information Security Media Group, the FDA explains that the warning letter notes several violations of FDA regulations, including the failure to maintain and implement proper procedures related to product design and correcting and preventing device problems. The warning letter also notes that Abbott distributed a small number of devices that were under recall, FDA tells ISMG.
"The violations outlined in this warning letter are serious. The FDA will continue to work with Abbott to make certain they adequately address violations cited in the warning letter," the FDA tells ISMG.
The agency says all of the violations in the Abbott warning letter are related to issues that FDA has previously publicly communicated to the healthcare sector, including:
- The FDA's Oct. 11, 2016 safety communication regarding premature battery depletion in Abbott's Implantable Cardioverter Defibrillator and Cardiac Resynchronization Therapy Defibrillator devices. The company voluntarily recalled the devices on Oct. 11, 2016.
- The FDA's Jan. 6, 2017 safety communication regarding cybersecurity vulnerabilities in St. Jude Medical's implantable cardiac devices and Merlin@Home Transmitters (see Two Agencies Issue Alerts on St. Jude Medical Cardiac Devices).
"The FDA will continue to work with Abbott to make certain they adequately address violations cited in the warning letter," the FDA tells ISMG. "Patients and healthcare professionals should continue to follow the recommendations outlined in the FDA's safety communications."
In a statement to ISMG, Abbott says: "At Abbott, patient safety comes first. We have a strong history and commitment to product safety and quality, as demonstrated by our operations across the company."
Abbott notes that it acquired St. Jude Medical in January 2017. "the FDA inspection of the Sylmar facility, formerly run by St. Jude Medical, began on Feb. 7; and we responded to the 483 observations on March 13, describing the corrective actions we are implementing. We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA's warning letter, and are committed to fully addressing FDA's concerns."
The FDA's letter to Abbott notes that during its February inspection, among other activities, the agency reviewed 42 of the St. Jude medical product analysis reports produced between 2011 and 2014. "These reports showed in instances when your supplier's analysis provided evidence that lithium cluster bridging had prematurely drained the battery."
Among problems cited by FDA, the letter notes that St Jude Medical may have failed in addressing issues related to the batteries, as well as to fully address cybersecurity vulnerabilities that were part of findings by a third-party research report released in August 2016.
That report was issued by short sell investment firm Muddy Waters Capital based on findings by MedSec Holdings, a security research firm that reportedly has a financial arrangement with Muddy Waters .
Among the cybersecurity findings Muddy Waters/MedSec cited in its report was a "man-in-the-middle" vulnerability in St. Jude Medical's Merlin@home transmitter.
While the Muddy Waters/MedSec report highlighted important cybersecurity issues concerning the St. Jude medical devices, the controversial manner in which the research was released - by an investment company - and its financial arrangement with "ethical hacker" MedSec, which found the vulnerabilities, drew criticism from the healthcare industry.
Typically, when independent researchers discover cybersecurity vulnerabilities in medical devices, they first notify federal agencies, including the FDA or the Department of Homeland Security, as well as the affected manufacturers before disclosing the flaws. But the FDA has confirmed that Muddy Waters did not notify the agency until after the firm publicly released its findings (see Report on Cardiac Device Cyber Vulnerabilities Fuels Debate).
The report claimed MedSec found "key vulnerabilities" in St. Jude Medical implantable pacemaker and defibrillator devices that can "apparently be exploited by low-level hackers."
In an April 13 statement to ISMG about the FDA's recent warning letter to Abbott concerning device cybersecurity vulnerabilities, Muddy Waters CEO Carson Block says, "Abbott either had its eyes wide open in buying these issues [from] St. Jude, or was negligent in its due diligence. Time will tell which was the case."
The FDA's letter to Abbott notes that during FDA's inspection of the former St. Jude Medical site, the agency found that "your firm did not confirm all required corrective and preventive actions were completed, including a full root cause investigation and the identification of actions to correct and prevent recurrence of potential cybersecurity vulnerabilities, as required by your Corrective Action and Preventive Action procedures."
Additionally, the FDA says Abbott "did not confirm that verification or validation activities for the corrective actions had been completed, to ensure the corrective actions were effective and did not adversely affect the finished device."
The FDA tells Abbott that it must notify FDA within 15 business days of the specific steps the company has taken "to correct the noted violations, as well as an explanation of how your firm plans to prevent these violations, or similar violations, from occurring again ...Your firm's response should be comprehensive and address all violations included in this warning letter."
The FDA adds that "failure to promptly correct these violations may result in regulatory action being initiated by the FDA without further notice. These actions include, but are not limited to, seizure, injunction, and civil money penalties."
As for the key lessons that other medical device makers should learn from Abbott situation, FDA tells ISMG: "Generally speaking, the FDA expects manufacturers to stay vigilant and constantly monitor cybersecurity throughout their device's total product lifecycle. This means manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then continuously monitor and address cybersecurity concerns once the device is on the market."