FDA threatens action against medical device-maker over poor cybersecurity

FDA threatens action against medical device-maker over poor cybersecurity
© Getty Images

The Food and Drug Administration (FDA) is threatening action if Abbott Labs fails to address safety and security issues in certain medical devices.

The company recently purchased St. Jude Medical, which makes implanted cardiac devices that have been the subject of cybersecurity concerns.

A warning letter issued by the FDA gives Abbott Labs 15 days to submit a plan to address errors in the products' design that could allow hackers to tamper with the settings and drain the batteries of the devices.

The letter says Abbott Labs' answers to an earlier inquiry about security practices failed to include plans to address problems or evidence they were undertaking "corrections, corrective actions, and systemic corrective actions." 

ADVERTISEMENT
Many of the cybersecurity concerns first came to light last summer when medical device security research firm MedSec submitted a report outlining a variety of alleged security flaws in St. Jude products to the investment firm Muddy Waters Research. Muddy Waters publicly announced those flaws after placing a large Wall Street bet that St. Jude's stock would plummet. 

Abbott completed its purchase of St. Jude in January, though the purchase was planned before Muddy Waters came forward and disclosed the cybersecurity flaws. Abbott is currently suing Muddy Waters over its short-selling tactic. 

Members of the security community have debated whether or not disclosing security vulnerabilities in this way with the purpose of impacting stock prices is ethical.

Traditionally, researchers quietly inform manufacturers of flaws found in devices as a free, public service, giving them a chance to mend the security gaps before announcing them in forums where hackers might take notice.

MedSec has argued that it contacted Muddy Waters rather than trust Abbott to make the repairs as a way sending a message about the importance of fixing the mistakes. 

Justine Bone, CEO of MedSec said she viewed this as an extraordinary circumstance involving a manufacturer she did not believe would respond to a more traditional notification. 

Even now, she said, the company has not mended the security problems her firm found last year, despite spending resources on a lawsuit. 

"We've been standing by for more than six months, waiting for remediation," she said. 

"The public was led to believe the problems had been fixed. They have not been fixed."

Bone notes that the warning letter slams St. Jude for being aware of problems with security and battery safety since 2014, when the company contracted a third-party audit of device security.

In the same year, according to the letter, problems with the battery, including one resulting in a death, were not shared with its medical advisory board. 

"Abbott either had its eyes wide open in buying these issues at St. Jude, or was negligent in its due diligence," said Carson Block, founder of Muddy Waters of the FDA letter. "Time will tell which was the case."

In a written statement, Abbott emphasized that it was making every effort to comply with the FDA letter.

"At Abbott, patient safety comes first. We have a strong history and commitment to product safety and quality, as demonstrated by our operations across the company," the company wrote. 

"We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA's warning letter, and are committed to fully addressing FDA's concerns," it later added.

- Updated at 11:35 a.m. on April 14.