FDA warns Abbott on heart device battery, cybersecurity issues
April 14, 2017
by Thomas Dworetzky, Contributing Reporter
The FDA has issued a new warning letter to St. Jude Medical focusing on problems involving batteries in its implantable defibrillators and the potential hacking vulnerability of its in-home monitoring gear.
“We have reviewed your response and conclude that it is not adequate," the FDA said in its letter.
Spokesman Jonathon Hamilton of Abbott Laboratories, which acquired St. Jude in January, responded to the Star Tribune in Minneapolis about these concerns, stating, “We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA's warning letter, and are committed to fully addressing FDA's concerns."
The $25 billion acquisition deal added medical devices, diagnostics, nutritionals and branded generic pharmaceuticals to Abbott's roster of products.
"We continue to deliberately shape our business for long-term success by securing leadership positions in attractive markets and focusing on customer needs," said Abbott's chairman and CEO, Miles D. White, in a statement. He noted that adding St. Jude “creates one of the broadest medical device portfolios in the world.”
Overall, analysts appear to think the problems should not impact the company significantly.
The Chicago Tribune reported that Stifel analyst Rick Wise wrote that the letter might cause “lingering concern” but that the issues are “fixable and resolvable given Abbott's considerable manufacturing expertise and some time."
Over at Morningstar, analyst Debbie Wang, did note that it could complicate future FDA approvals. For example, Abbott is in the process of getting an MR-safe implantable defibrillator okayed.
"That could be held hostage by the FDA until the company has sufficiently addressed all these concerns," Wang said, according to the paper.
Spokesman Hamilton stated that there is an evaluation underway to see “how this may impact anticipated product approvals" from the facility that is the subject of the agency letter.
On the battery problems, which the Star Tribune advised affected older versions of its Fortify, Unify and Assura defibrillators, agency inspectors wrote, “FDA reviewed 42 of your firm’s Product Analysis Reports, produced between 2011 and 2014. These reports showed, in instances when your supplier’s analysis provided evidence that lithium cluster bridging had prematurely drained the battery, your firm repeatedly concluded that the cause of premature depletion of Greatbatch QHR2850 batteries 'could not be determined.' Your firm later categorized these as 'unconfirmed' lithium bridges.”
The batteries could short and the device fail without setting off the dead battery alarm, noted the paper.
This characterization led the company to a “Corrective Action and Preventive Action (CAPA) Procedure” that treated the events in a much different way than had they been confirmed. “Basing your firm’s risk evaluation on “confirmed” cases and not considering the potential for “unconfirmed” cases to have been shorts, your firm underestimated the occurrence of the hazardous situation,” noted the FDA letter.
This situation continued even after a patient death in 2014. “Your firm completed its returned device analysis, related to this death, on August 27, 2014. The analysis concluded the cause of premature battery depletion 'could not be determined' despite evidence of lithium bridges, provided by your supplier,” stated the FDA.
The FDA thus noted that the “unconfirmed” classification “resulted in significant underestimations of the probability of occurrence of the hazardous situation."
Beyond that, “seven patients were implanted with defibrillators after St. Jude recalled more than 400,000 of the devices,” noted the Star Tribune.
The FDA also weighed in on the Merlin@home cybersecurity issue in the letter.
Cybersecurity concerns were first raised by investment firm Muddy Waters Capital, which went public and then shorted the stock. St. Jude sued the investment company for defamation.
"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” said Michael T. Rousseau, president and chief executive officer at St. Jude Medical. "We believe this lawsuit is critical to the entire medical device ecosystem — from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme."
It noted that after third-party reports of security flaws in the system, “your firm failed to accurately incorporate the findings of a third-party assessment you commissioned, dated April 2, 2014, into your firm’s updated cybersecurity risk assessments for your high voltage and peripheral devices. This included dealing with the 'hard-coded universal unlock code as an exploitable hazard for your firm’s High Voltage devices',” which the report had identified.
“Your firm identified the hard-coded universal unlock code as a risk control measure for emergent communication. However, you failed to identify this risk control also as a hazard. Therefore, you failed to properly estimate and evaluate the risk associated with the hard-coded universal lock code in the design of your High Voltage devices,” noted the FDA.
The company's written response to these FDA findings was rejected by the agency, according to the Star Tribune. The company must now outline to the FDA the measures it will take to correct the issues with the devices.
In January, St. Jude Medical announced that its implantable cardiac devices were getting software fixes.
Calling the risk of such an exploit “extremely low,” St. Jude Medical stated at the time that, “in recognition of the changing cyber security landscape and the increased public attention on highly unlikely medical device cyber risks, we are informing the public about these ongoing actions so that patients can continue to be confident about the benefits of remote monitoring.”
The company took the step preemptively, St. Jude Medical’s Cyber Security Medical Advisory Board advisor, Ann Barron DiCamillo, said in a statement.
“We’ve partnered with agencies such as the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit, and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.
“We have reviewed your response and conclude that it is not adequate," the FDA said in its letter.
Spokesman Jonathon Hamilton of Abbott Laboratories, which acquired St. Jude in January, responded to the Star Tribune in Minneapolis about these concerns, stating, “We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA's warning letter, and are committed to fully addressing FDA's concerns."
The $25 billion acquisition deal added medical devices, diagnostics, nutritionals and branded generic pharmaceuticals to Abbott's roster of products.
"We continue to deliberately shape our business for long-term success by securing leadership positions in attractive markets and focusing on customer needs," said Abbott's chairman and CEO, Miles D. White, in a statement. He noted that adding St. Jude “creates one of the broadest medical device portfolios in the world.”
Overall, analysts appear to think the problems should not impact the company significantly.
The Chicago Tribune reported that Stifel analyst Rick Wise wrote that the letter might cause “lingering concern” but that the issues are “fixable and resolvable given Abbott's considerable manufacturing expertise and some time."
Over at Morningstar, analyst Debbie Wang, did note that it could complicate future FDA approvals. For example, Abbott is in the process of getting an MR-safe implantable defibrillator okayed.
"That could be held hostage by the FDA until the company has sufficiently addressed all these concerns," Wang said, according to the paper.
Spokesman Hamilton stated that there is an evaluation underway to see “how this may impact anticipated product approvals" from the facility that is the subject of the agency letter.
On the battery problems, which the Star Tribune advised affected older versions of its Fortify, Unify and Assura defibrillators, agency inspectors wrote, “FDA reviewed 42 of your firm’s Product Analysis Reports, produced between 2011 and 2014. These reports showed, in instances when your supplier’s analysis provided evidence that lithium cluster bridging had prematurely drained the battery, your firm repeatedly concluded that the cause of premature depletion of Greatbatch QHR2850 batteries 'could not be determined.' Your firm later categorized these as 'unconfirmed' lithium bridges.”
The batteries could short and the device fail without setting off the dead battery alarm, noted the paper.
This characterization led the company to a “Corrective Action and Preventive Action (CAPA) Procedure” that treated the events in a much different way than had they been confirmed. “Basing your firm’s risk evaluation on “confirmed” cases and not considering the potential for “unconfirmed” cases to have been shorts, your firm underestimated the occurrence of the hazardous situation,” noted the FDA letter.
This situation continued even after a patient death in 2014. “Your firm completed its returned device analysis, related to this death, on August 27, 2014. The analysis concluded the cause of premature battery depletion 'could not be determined' despite evidence of lithium bridges, provided by your supplier,” stated the FDA.
The FDA thus noted that the “unconfirmed” classification “resulted in significant underestimations of the probability of occurrence of the hazardous situation."
Beyond that, “seven patients were implanted with defibrillators after St. Jude recalled more than 400,000 of the devices,” noted the Star Tribune.
The FDA also weighed in on the Merlin@home cybersecurity issue in the letter.
Cybersecurity concerns were first raised by investment firm Muddy Waters Capital, which went public and then shorted the stock. St. Jude sued the investment company for defamation.
"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” said Michael T. Rousseau, president and chief executive officer at St. Jude Medical. "We believe this lawsuit is critical to the entire medical device ecosystem — from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme."
It noted that after third-party reports of security flaws in the system, “your firm failed to accurately incorporate the findings of a third-party assessment you commissioned, dated April 2, 2014, into your firm’s updated cybersecurity risk assessments for your high voltage and peripheral devices. This included dealing with the 'hard-coded universal unlock code as an exploitable hazard for your firm’s High Voltage devices',” which the report had identified.
“Your firm identified the hard-coded universal unlock code as a risk control measure for emergent communication. However, you failed to identify this risk control also as a hazard. Therefore, you failed to properly estimate and evaluate the risk associated with the hard-coded universal lock code in the design of your High Voltage devices,” noted the FDA.
The company's written response to these FDA findings was rejected by the agency, according to the Star Tribune. The company must now outline to the FDA the measures it will take to correct the issues with the devices.
In January, St. Jude Medical announced that its implantable cardiac devices were getting software fixes.
Calling the risk of such an exploit “extremely low,” St. Jude Medical stated at the time that, “in recognition of the changing cyber security landscape and the increased public attention on highly unlikely medical device cyber risks, we are informing the public about these ongoing actions so that patients can continue to be confident about the benefits of remote monitoring.”
The company took the step preemptively, St. Jude Medical’s Cyber Security Medical Advisory Board advisor, Ann Barron DiCamillo, said in a statement.
“We’ve partnered with agencies such as the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit, and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.