As wearable and implantable patient monitoring or therapy devices become more sophisticated with advanced wireless connectivity to extract patient information and change the device functionality, there are growing concerns these technologies will be be targets of hackers. The U.S. Food and Drug Administration (FDA) believes this poses a threat to patient safety. The agency announced this week the availability of the guidance document entitled "Postmarket Management of Cybersecurity in Medical Devices."

The FDA is issuing this guidance to inform industry and FDA staff of the agency's recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The guidance clarifies FDA's postmarket recommendations with regards to addressing cybersecurity vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the postmarket management of their medical devices.

The issue of cybersecurity of cardiac implantable devices raised concerns with the Secret Service with former vice president Dick Cheney, who had one of these devices. The issue was also raised in 2016 by a medical device market research firm that published a report alleging these vulnerabilities exist in St. Jude Medical's implantable electrophysiology (EP) devices. Read the article "Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity."

Background on the FDA Cybersecurity Guidance 
On Feb. 19, 2013, the President issued Executive Order 13636 - Improving Critical Infrastructure Cybersecurity, which recognized that resilient infrastructure is essential to preserving national security, economic stability, and public health and safety in the United States. Executive Order 13636 states that cyber threats to national security are among the most serious and that stakeholders must enhance the cybersecurity and resilience of critical infrastructure. This includes 

the healthcare and public health critical infrastructure sector.

The FDA also said Presidential Policy Directive 21 - Critical Infrastructure Security and Resilience (PPD-21), issued on Feb. 13, 2013, tasks federal agencies to strengthen the security and resilience of critical infrastructure against physical and cyber threats such that these efforts reduce vulnerabilities, minimize consequences, and identify and disrupt threats. PPD-21 encourages all public and private stakeholders to share responsibility in achieving these outcomes.

In recognition of the shared responsibility for cybersecurity, the security industry has established resources including standards, guidelines, best practices and frameworks for stakeholders to adopt a culture of cybersecurity risk management. Best practices include collaboratively assessing cybersecurity intelligence information for risks to device functionality and clinical risk. FDA believes that, in alignment with Executive Order 13636 and PPD-21, public and private stakeholders should collaborate to leverage available resources and tools to establish a common understanding that assesses risks for identified vulnerabilities in medical devices among the information technology community, healthcare delivery organizations, the clinical user community, and the medical device community. These collaborations can lead to the consistent assessment and mitigation of cybersecurity threats, and their impact on medical device safety and effectiveness, ultimately reducing potential risk of patient harm.

Guidance Document Details
Part 806 (21 CFR part 806) requires device manufacturers or importers to report promptly to FDA certain actions concerning device corrections and removals. However, the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as "cybersecurity routine updates and patches," are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting under part 806. 

For a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health, the FDA would require medical device manufacturers to notify the agency.

This guidance clarifies changes to devices to be considered cybersecurity routine updates and patches (e.g., certain actions to maintain a controlled risk to health). In addition, the guidance outlines circumstances in which FDA does not intend to enforce reporting requirements under part 806 for specific vulnerabilities with uncontrolled risk. Specifically, FDA does not intend to enforce the reporting requirements when circumstances outlined in the guidance are met within the predefined periods of time (e.g., communicate vulnerability to customers and user community and propose a timeline for remediation within 30 days after learning of the vulnerability; fix the vulnerability and validate the change within 60 days after learning of the vulnerability; actively participate in an Information Sharing Analysis Organization (ISAO)). The agency considers voluntary participation in an Information ISAO a critical component of a medical device manufacturer's comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices.

Public Comments on the Guidance Document
The public can submit comments via the Federal eRulemaking Portal at www.regulations.gov. All comments will be made public.

January 9, 2017 — The U.S. Food and Drug Administration (FDA) issued a safety communication today concerning patient safety issues due to cybersecurity vulnerabilities found in St. Jude Medical's radio frequency (RF)-enabled implantable cardiac devices and Merlin@home Transmitter. The FDA said it has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.

The FDA said there have been no reports of patient harm related to these cybersecurity vulnerabilities. St. Jude Medical said it is not aware of any cyber security incidents related to a St. Jude Medical device, nor is it aware that any specific St. Jude Medical device or system in clinical use has been purposely targeted. 

St. Jude Medical said it is now deploying the latest release of cyber security updates for its Merlin remote monitoring system that is used with implantable pacemakers and defibrillator devices. The improvements include security updates that complement the company’s existing measures and further reduce the extremely low cyber security risks. The company developed and validated a software patch for the Merlin@home Transmitter that addresses and reduces the risk of specific cybersecurity vulnerabilities. The patch, which will be available beginning Jan. 9, 2017, will be applied automatically to the Merlin@home Transmitter. Patients and patient caregivers only need to make sure their Merlin@home Transmitter remains plugged in and connected to the Merlin.net network to receive the patch. The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm. The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.

“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cybersecurity expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board. “Today’s announcement is another demonstration that St. Jude Medical takes cybersecurity seriously and is continuously reassessing and updating its devices and systems, as appropriate.”

“We’ve partnered with agencies such as the U.S. Food and Drug Administration and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.

The FDA said will continue to assess new information concerning the cybersecurity of St. Jude Medical's implantable cardiac devices and the Merlin@home Transmitter, and will keep the public informed if the FDA's recommendations change. The FDA reminds patients, patient caregivers and healthcare providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.The FDA will continue its work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting and remediation of medical device cybersecurity vulnerabilities.

The issue of St. Jude electrophysiology device cyber vulnerabilities was raised in 2016 by a medical device market research firm that published a report alleging these vulnerabilities existed specifically in St. Jude Medical's implantable electrophysiology (EP) devices. Read the article "Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity." St. Jude filed a lawsuit against the firm and said in statements the concerns the report raised were not valid or accurate. However, the FDA safety communication seems to contradict the company's defensive reaction and lend some validity to the market report.

“As medical technology advances, it’s increasingly important to understand how innovation and cybersecurity impact physicians and the patients we treat,” said Leslie Saxon, M.D., chair of St. Jude Medical’s Cyber Security Medical Advisory Board. “We are committed to working to proactively address cybersecurity risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function.”

St. Jude Medical was acquired by Abbott as of Jan. 4, 2017.

FDA Wants to Expand Review of Cybersecurity Issues With Medical Devices
The FDA warns that cybersecurity breaches are not limited to St. Jude devices. There are several other wireless systems that interface with implantable EP devices from Medtronic, Boston Scientific and Biotronik. The FDA said as wearable and implantable patient monitoring or therapy devices become more sophisticated with advanced wireless connectivity to extract patient information and change the device functionality, there are growing concerns these technologies will be be targets of hackers. The U.S. Food and Drug Administration (FDA) believes this poses a threat to patient safety. The agency announced in December the availability of the guidance document entitled "Postmarket Management of Cybersecurity in Medical Devices."

The FDA issued this guidance to inform industry and FDA staff of the agency's recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The guidance clarifies FDA's postmarket recommendations with regards to addressing cybersecurity vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the postmarket management of their medical devices.

Read the article “FDA Seeks Management of Cybersecurity in Medical Devices.”
 

Recommendations for HealthCare Providers
Continue to conduct in-office follow-up, per normal routine, with patients who have an implantable cardiac device that is monitored using the Merlin@home Transmitter.

Remind patients to keep their Merlin@home Transmitter connected as this will ensure that patients' devices receive the necessary patches and updates.

Contact St. Jude Medical's Merlin@home customer service at 1-877-My-Merlin, or visit www.sjm.com/Merlindisclaimer icon for answers to questions and additional information regarding St. Jude Medical's implantable cardiac devices, or the Merlin@home Transmitter.

Recommendations for Patients and Caregivers
The FDA says to follow the labeling instructions provided with the Merlin@home Transmitter. Patients should peeping monitor connected as directed so the monitor receives necessary updates and patches. Keep in mind that although all connected medical devices, including this one, carry certain risks, the FDA has determined that the benefits to patients from continued use of the device outweigh any risks.

Patients should consult with their physician(s) for routine care and follow-up. Your ongoing medical management should be individualized based on your medical history and clinical condition.

Patients should seek immediate medical attention if symptoms of lightheadedness, dizziness, loss of consciousness, chest pain, or severe shortness of breath occur.

Healthcare professionals and patients are encouraged to report adverse events or side effects related to the use of these products to the FDA's MedWatch Safety Information and Adverse Event Reporting Program at www.fda.gov/MedWatch/report

For more information: www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm535979.htm

May 10, 2016 — Medtronic plc announced clinical results highlighting the strong safety and performance profile of the miniaturized Micra Transcatheter Pacing System (TPS) at Heart Rhythm 2016, the Heart Rhythm Society's 37th Annual Scientific Sessions, May 4-7 in San Francisco.

The Micra TPS is less than one-tenth the size of traditional pacemakers, and Medtronic claims it is the only leadless pacemaker approved for use in both the United States and Europe. Data presented at HRS further underscored the technology’s safety and performance profile. The data also confirmed Micra’s ability to accurately respond to patients’ activity levels by adjusting therapy using, for the first time, an accelerometer sensor positioned within the heart.

“Many patients with bradycardia require rate-responsive pacing so that their heart rates increase during exercise,” said Razali Omar, M.D., senior consultant cardiologist at the National Heart Institute in Kuala Lumpur, Malaysia. “Conventional pacemakers use various sensors outside the heart to detect patient activity, but even these sensors can have difficulty detecting moderate physical activity. As data presented today show, the Micra accurately responds to patients' activity levels by adjusting therapy when needed using a sensor within the heart.”

Using a miniaturized sensor to measure a patient's movement (also known as an accelerometer), the Micra TPS determines which pacing rates are appropriate based on patient activity levels. Medtronic said the technology is the first U.S. Food and Drug Administration (FDA)-approved cardiac device to position the sensor inside the heart and the only leadless pacemaker to offer the benefits of accelerometer-based sensing technology, the industry standard for traditional pacemaker systems.

Data presented at HRS assessed the rate response performance for approximately 20 patients with Micra TPS at three and six months post-implant procedure. In the study, patients underwent treadmill tests exercising to maximal exertion. The study found that appropriate rate-responsive pacing is achievable with an entirely intracardiac accelerometer-based pacing system.

Comparable in size to a large vitamin, the Micra TPS is attached to the heart with small tines and delivers electrical impulses that pace the heart through an electrode at the end of the device. Unlike traditional pacemakers, the Micra TPS does not require leads or a surgical "pocket" under the skin, so potential sources of complications related to such leads and pocket are eliminated-as are any visible signs of the device.

The Micra design incorporates a retrieval feature to enable retrieval when possible; however, the device is designed to be left in the body. For patients who need more than one device, the miniaturized Micra TPS was designed with a unique feature that enables it to be permanently turned off so it can remain in the body and a new device can be implanted without risk of electrical interaction.

Medtronic said Micra TPS is the first and only leadless pacing system to be approved for both 1.5 and 3 Tesla (T) full-body magnetic resonance imaging (MRI) scans, providing patients with access to the most advanced imaging diagnostic procedures available.

In November 2015, data from the Medtronic Micra TPS Global Clinical Trial were published in the New England Journal of Medicine and presented during a late-breaking Special Report at the American Heart Association Scientific Sessions. Data showed the Micra TPS was successfully implanted in 99.2 percent of patients, there were no (0) dislodgements, and the system met its safety and effectiveness endpoints with wide margins.

The Micra TPS was awarded CE Mark in April 2015 and FDA approval in April 2016.  It is intended for use in patients who need a single-chamber pacemaker. The device was designed to allow patients to be followed by their physicians and send data remotely via the Medtronic CareLink Network; remote monitoring of Micra devices is expected to be available later this year.

For more information: www.medtronic.com

June 1, 2016 — Biotronik announced the launch of CardioMessenger Smart in the United States. CardioMessenger Smart is a portable monitoring device, about the size of a modern smartphone, that keeps pacemaker, implantable cardioverter defibrillator (ICD) and insertable cardiac monitor (ICM) patients connected to their physician remotely, enabling more efficient care management anywhere in the world.

The device provides secure, fully automatic transmission of vital information from a patient’s cardiac implant to their physician via Biotroink Home Monitoring. This includes daily, automatic reports and fully customizable alerts that can be programmed to the physician’s specifications. As demonstrated by the TRUST, COMPAS and IN-TIME clinical studies, Home Monitoring can significantly reduce hospitalization, stroke and mortality. CardioMessenger Smart recently received U.S. Food and Drug Administration (FDA) approval.

“The clinical and economic benefits of remote monitoring have been well established over a decade of clinical studies,” stated Niraj Varma, M.D., in reference to the 2015 Heart Rhythm Society Expert Consensus Statement on remote monitoring. “But these benefits are only realized if patients consistently use the technology. When we make the remote monitoring process easy for patients, we increase the likelihood of patient adherence, which has been demonstrated to improve health outcomes.” Varma was lead investigator for the TRUST Trial, which laid the foundation for the guidelines, and co-chair of the HRS committee.

The portability of CardioMessenger Smart helps ensure patient compliance and the consistent transmission of data necessary for physicians to identify and prevent potential cardiac events. CardioMessenger Smart is fully automatic, providing daily reports of cardiac activity via worldwide cellular networks to physicians without intervention from the patient.

For more information: www.biotronik.com

May 10, 2016 — Medtronic plc announced clinical results highlighting the strong safety and performance profile of the miniaturized Micra Transcatheter Pacing System (TPS) at Heart Rhythm 2016, the Heart Rhythm Society's 37th Annual Scientific Sessions, May 4-7 in San Francisco.

The Micra TPS is less than one-tenth the size of traditional pacemakers, and Medtronic claims it is the only leadless pacemaker approved for use in both the United States and Europe. Data presented at HRS further underscored the technology’s safety and performance profile. The data also confirmed Micra’s ability to accurately respond to patients’ activity levels by adjusting therapy using, for the first time, an accelerometer sensor positioned within the heart.

“Many patients with bradycardia require rate-responsive pacing so that their heart rates increase during exercise,” said Razali Omar, M.D., senior consultant cardiologist at the National Heart Institute in Kuala Lumpur, Malaysia. “Conventional pacemakers use various sensors outside the heart to detect patient activity, but even these sensors can have difficulty detecting moderate physical activity. As data presented today show, the Micra accurately responds to patients' activity levels by adjusting therapy when needed using a sensor within the heart.”

Using a miniaturized sensor to measure a patient's movement (also known as an accelerometer), the Micra TPS determines which pacing rates are appropriate based on patient activity levels. Medtronic said the technology is the first U.S. Food and Drug Administration (FDA)-approved cardiac device to position the sensor inside the heart and the only leadless pacemaker to offer the benefits of accelerometer-based sensing technology, the industry standard for traditional pacemaker systems.

Data presented at HRS assessed the rate response performance for approximately 20 patients with Micra TPS at three and six months post-implant procedure. In the study, patients underwent treadmill tests exercising to maximal exertion. The study found that appropriate rate-responsive pacing is achievable with an entirely intracardiac accelerometer-based pacing system.

Comparable in size to a large vitamin, the Micra TPS is attached to the heart with small tines and delivers electrical impulses that pace the heart through an electrode at the end of the device. Unlike traditional pacemakers, the Micra TPS does not require leads or a surgical "pocket" under the skin, so potential sources of complications related to such leads and pocket are eliminated-as are any visible signs of the device.

The Micra design incorporates a retrieval feature to enable retrieval when possible; however, the device is designed to be left in the body. For patients who need more than one device, the miniaturized Micra TPS was designed with a unique feature that enables it to be permanently turned off so it can remain in the body and a new device can be implanted without risk of electrical interaction.

Medtronic said Micra TPS is the first and only leadless pacing system to be approved for both 1.5 and 3 Tesla (T) full-body magnetic resonance imaging (MRI) scans, providing patients with access to the most advanced imaging diagnostic procedures available.

In November 2015, data from the Medtronic Micra TPS Global Clinical Trial were published in the New England Journal of Medicine and presented during a late-breaking Special Report at the American Heart Association Scientific Sessions. Data showed the Micra TPS was successfully implanted in 99.2 percent of patients, there were no (0) dislodgements, and the system met its safety and effectiveness endpoints with wide margins.

The Micra TPS was awarded CE Mark in April 2015 and FDA approval in April 2016.  It is intended for use in patients who need a single-chamber pacemaker. The device was designed to allow patients to be followed by their physicians and send data remotely via the Medtronic CareLink Network; remote monitoring of Micra devices is expected to be available later this year.

For more information: www.medtronic.com

June 1, 2016 — Biotronik announced the launch of CardioMessenger Smart in the United States. CardioMessenger Smart is a portable monitoring device, about the size of a modern smartphone, that keeps pacemaker, implantable cardioverter defibrillator (ICD) and insertable cardiac monitor (ICM) patients connected to their physician remotely, enabling more efficient care management anywhere in the world.

The device provides secure, fully automatic transmission of vital information from a patient’s cardiac implant to their physician via Biotroink Home Monitoring. This includes daily, automatic reports and fully customizable alerts that can be programmed to the physician’s specifications. As demonstrated by the TRUST, COMPAS and IN-TIME clinical studies, Home Monitoring can significantly reduce hospitalization, stroke and mortality. CardioMessenger Smart recently received U.S. Food and Drug Administration (FDA) approval.

“The clinical and economic benefits of remote monitoring have been well established over a decade of clinical studies,” stated Niraj Varma, M.D., in reference to the 2015 Heart Rhythm Society Expert Consensus Statement on remote monitoring. “But these benefits are only realized if patients consistently use the technology. When we make the remote monitoring process easy for patients, we increase the likelihood of patient adherence, which has been demonstrated to improve health outcomes.” Varma was lead investigator for the TRUST Trial, which laid the foundation for the guidelines, and co-chair of the HRS committee.

The portability of CardioMessenger Smart helps ensure patient compliance and the consistent transmission of data necessary for physicians to identify and prevent potential cardiac events. CardioMessenger Smart is fully automatic, providing daily reports of cardiac activity via worldwide cellular networks to physicians without intervention from the patient.

For more information: www.biotronik.com

June 6, 2016 — Jersey Shore University Medical Center, part of Meridian CardioVascular Network, is the first hospital in New Jersey to implant the Micra Transcatheter Pacing System (TPS), which Medtronic calls the world’s smallest pacemaker. Micra TPS is a new type of heart device that treats patients with bradycardia, a common heart condition characterized by a slow or irregular heart rhythm.

The device gained U.S. Food and Drug Administration (FDA) approval in April 2016.

Procedures with the advanced pacing technology were performed at Jersey Shore by electrophysiologists Edmund Karam, M.D., and Mark Mascarenhas, M.D., to treat multiple patients with bradycardia. People with bradycardia usually experience fewer than 60 beats per minute. At this rate, the heart is unable to pump enough oxygen-rich blood to the body during normal activity or exercise, causing dizziness, fatigue, shortness of breath or fainting spells. Pacemakers are the most common way to treat bradycardia to help restore the heart's normal rhythm and relieve symptoms by sending electrical impulses to the heart to increase the heart rate.

At one-tenth the size of a traditional pacemaker, Micra TPS is the only leadless pacemaker approved for use in the United States, according to St. Jude. The minimally-invasive procedure takes less than an hour and, unlike traditional pacemakers, is not visible.

Comparable in size to a large vitamin, the device does not require cardiac wires (leads) or a surgical “pocket” under the skin to deliver a pacing therapy. Instead, the device is small enough to be delivered through a catheter and implanted directly into the heart with small tines, providing a safe alternative to conventional pacemakers. It also automatically adjusts pacing therapy based on a patient’s activity levels. For patients who need more than one heart device, the device has a unique feature that enables it to be permanently turned off so it can remain in the body and a new device can be implanted without risk of electrical interaction.

“Our electrophysiology lab at Jersey Shore is at the forefront of providing the most innovative care for the treatment of heart arrhythmias and related conditions. That we are the first hospital in the state to implant the world’s smallest pacemaker since gaining FDA approval reflects our commitment to providing the community with the latest cardiovascular breakthroughs,” said Richard M. Neibart, M.D., medical director of Meridian CardioVascular Network.

For more information: www.medtronic.com

June 9, 2016 — Medtronic plc announced new results from the Medtronic Micra Transcatheter Pacing System (TPS) Global Clinical Trial in a late-breaking trial session at CardioStim/EHRA EUROPACE 2016, the World Congress in Electrophysiology and Cardiac Techniques, in Nice, France.

The new follow-up data on patients enrolled in the pre-market Micra TPS Global Clinical Trial underscore the safety benefits of the Micra TPS, with only 3.7 percent of patients (27 of 726; Kaplan-Meier estimate) experiencing a major complication, and no patients (0) experiencing a device dislodgement at 7.7 months of follow-up.

The results showed that at 7.7 months, the risk for major complications with Micra is significantly lower — 52 percent — than the risk associated with conventional pacing systems (hazard ratio: 0.48; 95 percent CI, 0.32 to 0.72; P<0.001). In addition, the risk for major complications was lower for the Micra TPS relative to conventional systems across all patient sub-groups, whether measured by age, sex or comorbidity (all hazard ratios < 1.0).

"Clinicians are extremely pleased that the evidence continues to demonstrate the strong safety profile of the Micra for all patient groups," said Gabor Duray, M.D., head of clinical electrophysiology and pacing, State Health Center, Budapest, Hungary. "These data provide the largest sample and the longest follow-up reported for this technology to date. We look forward to further evaluating this minimally invasive, leadless option in patients across the world."

The Micra TPS is less than one-tenth the size of traditional pacemakers and the only leadless pacemaker approved for use in both the United States and Europe.  It is attached to the heart with small tines and delivers electrical impulses that pace the heart through an electrode at the end of the device. Unlike traditional pacemakers, the Micra TPS does not require leads or a surgical "pocket" under the skin, so potential sources of complications related to such leads and pocket are eliminated-as are any visible signs of the device.

At 7.7 months, Micra TPS continued to provide low and stable pacing thresholds, yielding projected average longevity for the device of more than 12 years based on device use conditions through six months on 590 patients. This longevity rate is similar to conventional pacing systems (references Hauser, et al Heart Rhythm 2007 and Senaratne, et al PACE 2006).

In November 2015, preliminary results from the Medtronic Micra TPS Global Clinical Trial were published in the New England Journal of Medicine and presented during a late-breaking Special Report at the American Heart Association Scientific Sessions. Data showed the Micra TPS was successfully implanted in 99.2 percent of patients and the system met its safety and effectiveness endpoints with wide margins. Data from beyond six months, presented at Cardiostim 2016, reinforced these results with no (0) dislodgments and no (0) systemic infections. These low complication rates were achieved despite the inclusion of high-risk patients in the study worldwide, including patients with chronic obstructive pulmonary disease (COPD).

Micra's design incorporates a retrieval feature to enable retrieval when possible; however, the device is designed to be left in the body. For patients who need more than one device, the miniaturized Micra TPS was designed with a feature that enables it to be permanently turned off so it can remain in the body and a new device can be implanted without risk of electrical interaction.

The device was awarded CE Mark in April 2015 and U.S. Food and Drug Administration (FDA) approval in April 2016. It is intended for use in patients who need a single-chamber pacemaker. According to Medtronic, Micra is the first and only leadless pacing system to be approved for both 1.5 and 3 Tesla (T) full-body magnetic resonance imaging (MRI) scans, providing patients with access to the most advanced imaging diagnostic procedures available. The device was designed to allow patients to be followed by their physicians and send data remotely via the Medtronic CareLink Network; remote monitoring of Micra devices is expected to be available later this year.

For more information: www.medtronic.com

August 29, 2016 — Investment research firm Muddy Waters Capital released a report Aug. 25 saying it believes St. Jude Medical (SJM) will lose up to half of its revenue due to what it calls issues with its electrophysiology (EP) devices, including pacemakers, implantable cardioverter defibrillators (IDCs) and cardiac resynchonization therapy (CRT) devices. The research firm said these SJM devices, making up nearly 46 percent of SJM’s revenue, pose a public health risk and might be recalled or need remediation, including the cyber attack vulnerability of the device technology. SJM responded Aug. 29, calling the report false and misleading. 

“SJM’s pacemakers, ICDs and CRTs might – and in our view, should – be recalled and remediated,” the Muddy Waters report stated. “Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients. We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices.”

The firm reported a “crash” attack that causes cardiac devices to malfunction – including by apparently pacing at a potentially dangerous rate. It claimed a second reported incident was a battery drain attack that could be particularly harmful to device-dependent users. The report claims SJM cardiac devices can be attacked within a roughly 50 foot radius. It also theorizes that attacks can be executed on a large scale against patients using the thousands of remote Merlin home monitoring devices STJ has distributed. 

“We have examined the allegations made by Capital and MedSec on Aug. 25, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading,” SJM said in its Aug. 29 statement. “Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”

SJM said remote monitoring is a safe and effective means for patients to communicate with their physician and has been well documented in leading publications that remote monitoring saves lives. Similar remote monitoring technologies also are offered by SJM’s competitors Biotronik, Boston Scientific, Medtronic and the Sorin Group. The company said it works with third-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for its data and devices as part of its product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for products. SJM also said it conducts regular risk assessments based on U.S. Food and Drug Administration (FDA) guidance and perform penetration tests using internal and external experts. 

“Our system provides an automated remote upgrade process for all Merlin@home units that are in active use so that security enhancements are automatically deployed when they become available,” SJM said. “Merlin@home units that are not in active use and connected to the internet will also be upgraded when they return to use if a new update is available. Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes.”

Claims of Remote Battery Depletion are Misleading

The Muddy Waters report claimed that the battery could be depleted at a 50-foot range. SJM said this is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. “This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report,” SJM said. The company said the report described a scenario where it would require hundreds of hours of continuous and sustained “pings” within this distance, meaning a patient would need to remain immobile for days on end and the hacker would need to be within 7 feet of the patient, SJM said. In the unlikely instance that was to occur, SJM said its implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.

Safeguards in Place to Mitigate Crash Attacks

SJM said its devices are designed to go into a life-sustaining “safe” mode, as a safeguard, if unexpected conditions are detected. These safeguards will put the device into safe mode where the preprogrammed pacing and defibrillation functions of the implantable medical devices revert to safe settings. In addition, some SJM devices are designed to disable further RF communications for a period of time, which may appear to the untrained eye as having rendered the device disabled, although it continues to function.

SJM explained its devices also have built-in measures to reduce the risk of unauthorized commands being issued to our implantable devices. In addition, the company has an ongoing focus to continually strengthen its security systems in the ever changing cybersecurity environment. For example:

• Access controls help protect the Merlin@home™ operating system from unauthorized access
• The lack of built-in programming commands in Merlin@home help ensure that therapy is provided through the implanted device only at the direction of the physician
• Proprietary implantable medical device protocols protect communications with the implantable device
• Encryption of session authentication between the implantable medical device and Merlin@home further enhances device security
• The limited Medical Implant Communication Services (MICS) wireless range restricts accessibility of communications with the implantable device

Flawed Test Methodology on Updated Software

The report claimed that the system could be impaired, similar to when a computer system “crashes.” SJM points out the report has little detail on this simulation and includes many inconsistencies. The company said a screenshot in the report of the Merlin programmer shows a device that is functioning normally. The red items on the screen are highlighting the fact that there are no leads connected to the device. The device is pacing properly, at the programmed 40 bpm. The screenshot shows expected behavior from the SecureSense algorithm when device is pacing without any connected leads, SJM said.

SJM Says it is Vigilant

SJM reiterated its software has been evaluated by several independent organizations and researchers, including Deloitte and Optiv. In addition, Merlin.net was Safe Harbor certified by St. Jude Internal Audit in 2013 and annually since then. This includes an annual audit of key security controls within the Merlin.net environment and Merlin.net has received ISO 27001 certification since 2009. The company said this includes an internal audit of security controls and an independent certification by a third party, BSI. In 2015, it successfully completed an upgrade to the ISO 27001:2013 certification.

“Muddy Waters also makes numerous unsubstantiated statements that are speculative with no evidence shown to prove the claims such as an ability to impersonate any SJM device, reverse engineering to create a pocket-size programmer, and a large-scale attack through the Merlin network,” SJM stated. “However, we are not aware of such threats and will remain vigilant to the ever-increasing sophistication of those seeking access to devices/data and address any issues based on additional detail provided.”

The vendor said the report is unnecessarily alarming patients.

The Muddy Waters report can be found at www.muddywatersresearch.com/research/stj/mw-is-short-stj/

For more information on SJM: sjm.com

August 29, 2016 — Medtronic plc announced new long-term results from the Medtronic Micra Transcatheter Pacing System (TPS) Global Clinical Trial in a late-breaking session at the 2016 European Society of Cardiology (ESC) Congress. The meeting runs from Aug.27-31 in Rome.

The Micra TPS is less than one-tenth the size of traditional pacemakers and is the only leadless pacemaker approved for use in both the United States and Europe. Data presented at ESC showed that the risk for major complications with the Micra TPS remained consistently low, with 96 percent of patients experiencing no major complications through 12 months follow-up (95 percent CI, 94.2 percent-97.2 percent, P<0.0001). The Micra TPS reduced the risk of major complications by nearly half (48 percent; hazard ratio = 0.52, P=0.001) compared to conventional systems and the risk was lower across all patient sub-groups, whether measured by age, sex or comorbidity (all hazard ratios < 1.0).

The overall reduction in major complications with the Micra TPS was associated with a 47 percent decrease (p=0.017) in the risk of hospitalization and 82 percent (p<0.001) reduction in risk of system revisions (meaning extraction, repositioning or replacement) compared to conventional pacing systems. These reductions were largely due to the elimination of complications such as pneumothoraces (air between the lungs and chest wall), the absence of Micra dislodgements and device infections.

"The Micra TPS has consistently demonstrated strong effectiveness and safety benefits in patients with diverse comorbidities," said Philippe Ritter, M.D., principal investigator of the Micra TPS Global Clinical Trial and cardiologist at University Hospital of Bordeaux in France. "All pre-specified safety and efficacy objectives from the trial were met, with consistent findings from early performance, six- and 12-month data."

Micra battery projections continue to perform in-line with conventional pacemaker systems. Based on 644 patients with 12-month device use conditions available, Micra yielded a projected average longevity of more than 12 years.

In November 2015, preliminary results from the Medtronic Micra TPS Global Clinical Trial were published in the New England Journal of Medicine, which showed the device was successfully implanted in 99.2 percent of patients, and that the system met its safety and effectiveness endpoints with wide margins. The 12-month data presented at ESC continues to reinforce these results, demonstrating consistent and sustained results from early performance through 12-month follow-up.

The device is comparable in size to a large vitamin, yet delivers advanced pacing technology to patients via a minimally invasive approach. During the implant procedure, it is attached to the heart with small tines and delivers electrical impulses that pace the heart through an electrode at the end of the device.

Unlike traditional pacemakers, the Micra TPS does not require leads or a surgical "pocket" under the skin, so potential sources of complications related to such leads and pocket are eliminated — as are any visible signs of the device.

The Micra design also incorporates a retrieval feature to enable retrieval when possible; however, the device is designed to be left in the body. For patients who need more than one device, the miniaturized Micra TPS was designed with a unique feature that enables it to be permanently turned off so it can remain in the body and a new device can be implanted without risk of electrical interaction.

The Micra TPS was awarded CE Mark in April 2015 and U.S. Food and Drug Administration approval in April 2016. It is intended for use in patients who need a single-chamber pacemaker. The Micra TPS is the first and only leadless pacing system, according to Medtronic, to be approved for both 1.5 and 3 Tesla (T) full-body magnetic resonance imaging (MRI) scans, providing patients with access to the most advanced imaging diagnostic procedures available. The device was designed to allow patients to be followed by their physicians and send data remotely via the Medtronic CareLink Network. Remote monitoring of Micra devices is available in Europe and expected to be available in the United States later this year.

For more information: www.medtronic.com

September 2, 2016 — Results from an international, randomized study show that an implanted nerve stimulator significantly improves symptoms in those with central sleep apnea (CSA), without causing serious side effects. William Abraham, M.D., co-lead author and director of the Division of Cardiovascular Medicine at The Ohio State University Wexner Medical Center, presented findings from the study at the recent European Society of Cardiology (ESC) congress in Rome. The study is published today byThe Lancet.

Unlike the more common obstructive sleep apnea, in which the airway partially collapses and causes pauses in breathing, CSA occurs when the brain fails to control breathing during sleep. “CSA is a serious concern because it affects about a third of people with heart failure and it’s known to make the condition worse,” Abraham said. “Currently, we don’t have good treatments available. Positive airway pressure devices have been used, but many patients don’t tolerate them well and a recent study showed them to be harmful.”

The study used the Respicardia Remede System, which is a pacemaker-like device designed to improve cardiovascular health by restoring natural breathing during sleep in patients with central sleep apnea.

Watch a video on how the technology works and review a patient case.

Abraham, along with lead author Maria Rosa Costanzo, M.D., at Advocate Heart Institute in Naperville, Ill., led the study at 31 hospitals in the United States, Germany and Poland. The research team tested the safety and effectiveness of a transvenous phrenic nerve stimulator made by Respicardia Inc. Much like a pacemaker, it sends a regular signal telling the diaphragm to breathe during sleep.

In the randomized study, 151 patients were implanted with the device. Ten were excluded due to non-study related medical issues or deaths, exiting the study or missing visits. During the first six months of evaluation, 68 devices were activated for treatment, while 73 were left inactive as the control group. Between six and 12 months of follow-up, all patients received the neurostimulation treatment.

At the six month evaluation, the device reduced CSA events per hour by half or more for 35 of the 68 members (51 percent) of the treatment group. Only eight (11 percent) of those in the control group achieved the same reduction. Other important sleep measures, such as the amount of time spent with a low blood oxygen level, were also significantly improved. About a third of patients in the treatment group reported therapy-related discomfort that was resolved with some reprogramming of the device.

“Not only did we see this reduction in events per hour, the patients also rated themselves better on the Epworth Sleepiness Scale (meaning they were less sleepy during the day) and on a global assessment of their overall quality of life,” Abraham said. “This tells us the effects of neurostimulation are clinically relevant and this could be a promising therapy for those with central sleep apnea.”

In addition to Abraham, Ohio State’s doctors Rami Khayat and Ralph Augostini participated in this research, making Ohio State one of the high enrolling centers participating in the study worldwide.

The study was funded by Respicardia. Abraham is a consultant for the company.

For more information: www.thelancet.com/journals/lancet/article/PIIS0140-6736(16)30961-8/fulltext

Reference: 

Maria Rosa Costanzo, Piotr Ponikowski, Shahrokh Javaheri, et al. “Transvenous neurostimulation for central sleep apnoea: a randomised controlled trial.” The Lancet. Volume 388, No. 10048, p974–982, 3 September 2016. http://dx.doi.org/10.1016/S0140-6736(16)30961-8

The Respicardia Remede System is a pacemaker-like implantable device designed to improve cardiovascular health by restoring natural breathing during sleep in patients with central sleep apnea. In this video from The Ohio State University, William Abraham, M.D., director of the Division of Cardiovascular Medicine at The Ohio State University Wexner Medical Center, explains how the technology works and highlights one patient case involved in a recent study of the device. 

September 7, 2016 — St. Jude Medical Inc. (SJM) has filed a lawsuit against Muddy Waters Consulting LLC, Muddy Waters Capital LLC, MedSec Holdings Ltd., MedSec LLC and three individual defendants who are principals in these firms, for false statements, false advertising, conspiracy and the related manipulation of the public markets. This is in regards to a market report these firms released in August that claimed SJM’s implantable electrophysiology (EP) cardiac rhythm management devices were not secure against cyber attack and present a danger to patient safety. With this court action, SJM said it seeks to hold these firms and individuals accountable for what the company calls false and misleading tactics. The company also said it wants to set the record straight about the security of its devices and to help cardiac patients and their doctors make informed medical decisions.

The investment research firm Muddy Waters Capital released a report Aug. 25 saying it believed SJM would lose up to half of its revenue due to what it calls issues with its EP devices, including pacemakers, implantable cardioverter defibrillators (IDCs) and cardiac resynchonization therapy (CRT) devices. The firm claimed these devices pose a public health risk and might be recalled or need remediation because of their vulnerability to cyber attack. SJM responded Aug. 29, calling the report false and misleading. 

Read the article “Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity.”

"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” said Michael T. Rousseau, president and chief executive officer at St. Jude Medical. He said SJM has processes in place to encourage anyone with information about the security of our technology to share it with the company so it can be resolved. ”We believe this lawsuit is critical to the entire medical device ecosystem — from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme."

The lawsuit filed Sept. 7 alleges that Muddy Waters, MedSec and the other defendants intentionally disseminated false and misleading information in order to lower the value of SJM stock and to wrongfully profit from a drop in share value through a short-selling scheme. The company’s complaint claims the defendants’ served their own financial self-interest by attempting to mislead doctors and patients and demonstrates a total disregard for the patients whose lives depend on their cardiac management devices. The complaint also cites a third-party assessment of the Muddy Waters Report by University of Michigan researchers who found that “the evidence does not support their conclusions… [the University of Michigan researchers] were able to generate the reported conditions without there being a security issue.” In addition, an electrophysiologist and cardiologist from the University of Michigan also stated that “given the significant benefits from home monitoring, patients should continue to use their prescribed cardiac devices” at this time.

“We recognize that the cybersecurity landscape is dynamic, which is why we partner with researchers, agencies, consultants and others to continually strengthen our security measures currently in place,” said Phil Ebeling, SJM vice president and chief technology officer. “We also have processes in place to encourage anyone with information about the security of our technology to share it with us so that we can enhance our technology for the benefit of patients.”

SJM said its devices and systems have multiple features to reduce the risk of cyber security attacks and works with the U.S. Food and Drug Administration, the Department of Homeland Security and independent researchers to continually strengthen its security systems.

"Our top priority is to reassure patients, caregivers and physicians who use our life-saving devices that we are committed to the security of our products and to ensure patients and their doctors maintain ongoing access to the proven clinical benefits of remote monitoring," said Mark Carlson, SJM ice president and chief medical officer. "We decided to take this action because of the irresponsible manner in which these groups have acted."

The lawsuit was filed in the United States District Court for the District of Minnesota. This case follows St. Jude Medical's recent statements that refuted claims by Muddy Waters and MedSec regarding the safety and security of our pacemakers and defibrillators.

For more information: sjm.com 

November 9, 2016 — Patients who undergo minimally invasive heart valve replacement, known as transcatheter aortic valve replacement (TAVR), sometimes develop heart rhythm problems that necessitate placement of a permanent pacemaker. However, when a pacemaker is needed soon after TAVR, patients often have worse outcomes than those who did not need a pacemaker, according to a study published recently in JACC: Cardiovascular Interventions. The study shows that the risks are both short- and long-term and include lengthier hospital and intensive care unit stays as well as a greater risk of death.

“While pacemakers can and do help save lives, what our study shows is that when they are placed within a month post-TAVR, they may be associated with worsened outcomes as compared to those who did not need pacemakers,” said the study’s lead researcher, Opeyemi Fadahunsi, MBBS, MPH, a cardiology fellow at Dalhousie University in Halifax, Nova Scotia. At the time the study was conducted, Fadahunsi served at Reading Health System in West Reading, Pa. 

TAVR is a relatively new, minimally invasive surgical procedure that repairs the aortic heart valve without needing to remove the old valve. Often a patient spends less time recovering and avoids some of the risks associated with open-heart valve replacement. It is typically recommended for patients who are not able to undergo a traditional open-heart procedure — many times, these are people in their 80s or 90s who have other medical conditions that make an open-heart surgery a less preferred option.

Using data from the STS/ACC TVT Registry, researchers analyzed patients undergoing TAVR in the United States at 229 sites between November 2011 and September 2014 to see how permanent pacemaker implantation after having TAVR affected them.

Of the 9,785 study participants, 651 needed a permanent pacemaker within 30 days of the TAVR procedure. Those who needed a permanent pacemaker had a slightly longer hospital stay as well as longer reported hours in the intensive care unit. They also had an increased risk of death from any cause at one year. In addition, they found that the combination of death from any cause or heart failure hospitalizations was increased at one year.

“While TAVR is a great advance in medical care, cardiologists need to better understand both how to prevent patients from developing heart rhythm problems and why patients who need pacemakers in the setting of recent TAVR have worsened outcomes,” Fadahunsi said. “We found in our study that the need for a pacemaker was more common in certain valve types and larger-sized valves, in those undergoing the procedure at an older age, and those who were sicker.”

In an accompanying editorial, Marina Urena, M.D., Ph.D., and Josep Rodés-Cabau, M.D., said the findings provide new insight into the conundrum of conduction abnormalities in TAVR. If confirmed, these results urge engineers, device manufacturers and physicians to work even harder to find ways to reduce the rate of permanent pacemaker placement after TAVR.

For more information: www.jacc.org

As wearable and implantable patient monitoring or therapy devices become more sophisticated with advanced wireless connectivity to extract patient information and change the device functionality, there are growing concerns these technologies will be be targets of hackers. The U.S. Food and Drug Administration (FDA) believes this poses a threat to patient safety. The agency announced this week the availability of the guidance document entitled "Postmarket Management of Cybersecurity in Medical Devices."

The FDA is issuing this guidance to inform industry and FDA staff of the agency's recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The guidance clarifies FDA's postmarket recommendations with regards to addressing cybersecurity vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the postmarket management of their medical devices.

The issue of cybersecurity of cardiac implantable devices raised concerns with the Secret Service with former vice president Dick Cheney, who had one of these devices. The issue was also raised in 2016 by a medical device market research firm that published a report alleging these vulnerabilities exist in St. Jude Medical's implantable electrophysiology (EP) devices. Read the article "Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity."

Background on the FDA Cybersecurity Guidance 
On Feb. 19, 2013, the President issued Executive Order 13636 - Improving Critical Infrastructure Cybersecurity, which recognized that resilient infrastructure is essential to preserving national security, economic stability, and public health and safety in the United States. Executive Order 13636 states that cyber threats to national security are among the most serious and that stakeholders must enhance the cybersecurity and resilience of critical infrastructure. This includes 

the healthcare and public health critical infrastructure sector.

The FDA also said Presidential Policy Directive 21 - Critical Infrastructure Security and Resilience (PPD-21), issued on Feb. 13, 2013, tasks federal agencies to strengthen the security and resilience of critical infrastructure against physical and cyber threats such that these efforts reduce vulnerabilities, minimize consequences, and identify and disrupt threats. PPD-21 encourages all public and private stakeholders to share responsibility in achieving these outcomes.

In recognition of the shared responsibility for cybersecurity, the security industry has established resources including standards, guidelines, best practices and frameworks for stakeholders to adopt a culture of cybersecurity risk management. Best practices include collaboratively assessing cybersecurity intelligence information for risks to device functionality and clinical risk. FDA believes that, in alignment with Executive Order 13636 and PPD-21, public and private stakeholders should collaborate to leverage available resources and tools to establish a common understanding that assesses risks for identified vulnerabilities in medical devices among the information technology community, healthcare delivery organizations, the clinical user community, and the medical device community. These collaborations can lead to the consistent assessment and mitigation of cybersecurity threats, and their impact on medical device safety and effectiveness, ultimately reducing potential risk of patient harm.

Guidance Document Details
Part 806 (21 CFR part 806) requires device manufacturers or importers to report promptly to FDA certain actions concerning device corrections and removals. However, the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as "cybersecurity routine updates and patches," are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting under part 806. 

For a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health, the FDA would require medical device manufacturers to notify the agency.

This guidance clarifies changes to devices to be considered cybersecurity routine updates and patches (e.g., certain actions to maintain a controlled risk to health). In addition, the guidance outlines circumstances in which FDA does not intend to enforce reporting requirements under part 806 for specific vulnerabilities with uncontrolled risk. Specifically, FDA does not intend to enforce the reporting requirements when circumstances outlined in the guidance are met within the predefined periods of time (e.g., communicate vulnerability to customers and user community and propose a timeline for remediation within 30 days after learning of the vulnerability; fix the vulnerability and validate the change within 60 days after learning of the vulnerability; actively participate in an Information Sharing Analysis Organization (ISAO)). The agency considers voluntary participation in an Information ISAO a critical component of a medical device manufacturer's comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices.

Public Comments on the Guidance Document
The public can submit comments via the Federal eRulemaking Portal at www.regulations.gov. All comments will be made public.

January 9, 2017 — The U.S. Food and Drug Administration (FDA) issued a safety communication today concerning patient safety issues due to cybersecurity vulnerabilities found in St. Jude Medical's radio frequency (RF)-enabled implantable cardiac devices and Merlin@home Transmitter. The FDA said it has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.

The FDA said there have been no reports of patient harm related to these cybersecurity vulnerabilities. St. Jude Medical said it is not aware of any cyber security incidents related to a St. Jude Medical device, nor is it aware that any specific St. Jude Medical device or system in clinical use has been purposely targeted. 

St. Jude Medical said it is now deploying the latest release of cyber security updates for its Merlin remote monitoring system that is used with implantable pacemakers and defibrillator devices. The improvements include security updates that complement the company’s existing measures and further reduce the extremely low cyber security risks. The company developed and validated a software patch for the Merlin@home Transmitter that addresses and reduces the risk of specific cybersecurity vulnerabilities. The patch, which will be available beginning Jan. 9, 2017, will be applied automatically to the Merlin@home Transmitter. Patients and patient caregivers only need to make sure their Merlin@home Transmitter remains plugged in and connected to the Merlin.net network to receive the patch. The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm. The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.

“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cybersecurity expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board. “Today’s announcement is another demonstration that St. Jude Medical takes cybersecurity seriously and is continuously reassessing and updating its devices and systems, as appropriate.”

“We’ve partnered with agencies such as the U.S. Food and Drug Administration and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.

The FDA said will continue to assess new information concerning the cybersecurity of St. Jude Medical's implantable cardiac devices and the Merlin@home Transmitter, and will keep the public informed if the FDA's recommendations change. The FDA reminds patients, patient caregivers and healthcare providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.The FDA will continue its work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting and remediation of medical device cybersecurity vulnerabilities.

The issue of St. Jude electrophysiology device cyber vulnerabilities was raised in 2016 by a medical device market research firm that published a report alleging these vulnerabilities existed specifically in St. Jude Medical's implantable electrophysiology (EP) devices. Read the article "Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity." St. Jude filed a lawsuit against the firm and said in statements the concerns the report raised were not valid or accurate. However, the FDA safety communication seems to contradict the company's defensive reaction and lend some validity to the market report.

“As medical technology advances, it’s increasingly important to understand how innovation and cybersecurity impact physicians and the patients we treat,” said Leslie Saxon, M.D., chair of St. Jude Medical’s Cyber Security Medical Advisory Board. “We are committed to working to proactively address cybersecurity risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function.”

St. Jude Medical was acquired by Abbott as of Jan. 4, 2017.

FDA Wants to Expand Review of Cybersecurity Issues With Medical Devices
The FDA warns that cybersecurity breaches are not limited to St. Jude devices. There are several other wireless systems that interface with implantable EP devices from Medtronic, Boston Scientific and Biotronik. The FDA said as wearable and implantable patient monitoring or therapy devices become more sophisticated with advanced wireless connectivity to extract patient information and change the device functionality, there are growing concerns these technologies will be be targets of hackers. The U.S. Food and Drug Administration (FDA) believes this poses a threat to patient safety. The agency announced in December the availability of the guidance document entitled "Postmarket Management of Cybersecurity in Medical Devices."

The FDA issued this guidance to inform industry and FDA staff of the agency's recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The guidance clarifies FDA's postmarket recommendations with regards to addressing cybersecurity vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the postmarket management of their medical devices.

Read the article “FDA Seeks Management of Cybersecurity in Medical Devices.”
 

Recommendations for HealthCare Providers
Continue to conduct in-office follow-up, per normal routine, with patients who have an implantable cardiac device that is monitored using the Merlin@home Transmitter.

Remind patients to keep their Merlin@home Transmitter connected as this will ensure that patients' devices receive the necessary patches and updates.

Contact St. Jude Medical's Merlin@home customer service at 1-877-My-Merlin, or visit www.sjm.com/Merlindisclaimer icon for answers to questions and additional information regarding St. Jude Medical's implantable cardiac devices, or the Merlin@home Transmitter.

Recommendations for Patients and Caregivers
The FDA says to follow the labeling instructions provided with the Merlin@home Transmitter. Patients should peeping monitor connected as directed so the monitor receives necessary updates and patches. Keep in mind that although all connected medical devices, including this one, carry certain risks, the FDA has determined that the benefits to patients from continued use of the device outweigh any risks.

Patients should consult with their physician(s) for routine care and follow-up. Your ongoing medical management should be individualized based on your medical history and clinical condition.

Patients should seek immediate medical attention if symptoms of lightheadedness, dizziness, loss of consciousness, chest pain, or severe shortness of breath occur.

Healthcare professionals and patients are encouraged to report adverse events or side effects related to the use of these products to the FDA's MedWatch Safety Information and Adverse Event Reporting Program at www.fda.gov/MedWatch/report

For more information: www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm535979.htm

February 2, 2017 — Abbott announced U.S. Food and Drug Administration (FDA) approval for magnetic resonance (MR)-conditional labeling for both the Assurity MRI pacemaker and the Tendril MRI pacing lead. Patients implanted with these low-voltage devices will have the ability to undergo full body magnetic resonance imaging (MRI) scans, if required. With the approval, the Assurity MRI pacemaker is now the world's smallest, longest-lasting wireless MRI-compatible pacemaker, according to Abbott.

The Assurity MRI pacemaker was developed by St. Jude Medical, which was acquired by Abbott in early January of this year.

The Assurity MRI pacemaker also offers wireless remote monitoring, providing physicians secure access to their patients' diagnostic data and daily device measurements and reducing the need for in-office visits. Remote monitoring of cardiac patients has become a best practice over the past decade, and studies have continued to prove its positive impact on patient outcomes and the reduction of healthcare costs. In 2015, the Heart Rhythm Society made wireless remote monitoring the standard of care in its guidelines.

Pacemakers that allow patients to undergo MRI scans, such as the Assurity MRI pacemaker, have become an important advancement for patients who may need an MRI in the future but who do not want to risk damage to their implant. During an MRI scan, the Assurity MRI pacemaker works with Abbott's MRI Activator handheld device to trigger pre-programmed MRI settings appropriately tailored to individual patients. This technology can help eliminate the effort, time and patient inconvenience commonly associated with conventional pre- and post-scan pacemaker reprogramming.

"A long-lasting and small wireless pacemaker that allows patients to undergo MRI scans is an important step forward in growing our available treatment options for patients," said David Sandler, M.D., director of electrophysiology at the Oklahoma Heart Institute in Tulsa, Okla. "The ability to choose a device to best address a patient's cardiac condition no longer has a tradeoff with MRI compatibility. It's the best of both worlds."

For more information: www.sjm.com