Without appropriate technical updates, patients are at risk of inappropriate shocks from their defibrillators

Fewer than 25% of patients with certain Abbott pacemakers or defibrillators have updated device firmware that guards against potential cyberattacks, increasing the likelihood of inappropriate shocks and potentially worsening heart failure, doctors report in Heart Rhythm Case Reports

A case study of a patient who experienced inappropriate shocks from her defibrillator is presented in Heart Rhythm Case Reports, an official journal of the Heart Rhythm Society, published by Elsevier. This event likely took place because an FDA-recommended firmware update to strengthen cybersecurity had not occurred. This underscores the importance of upgrading firmware of Abbott devices according to FDA recommendations.

The patient, with an Abbott Fortify Assura^TM implantable cardioverter-defibrillator(ICD) with a Merlin@home^TM radiofrequency communicator, presented to the emergency department after receiving two shocks from her ICD without preceding symptoms. She had a history of atrial fibrillation with rapid ventricular response.

The patient was enrolled in at-home remote monitoring for her device and had frequent in-person device checks; however, the patient's device had outdated ICD firmware.

In August 2016, Muddy Waters LLC, an investment firm that conducts investigative research on public companies, released a report claiming that certain St. Jude Medical/Abbott cardiovascular implantable electronic devices (CIEDs) were vulnerable to cyberattack through the Merlin@home™ radiofrequency remote monitoring system, which allows care teams to review medical and technical information about the patient and the device without an in-person visit. Senior investigator Vineet Kumar, MD, FHRS, Division of Cardiac Electrophysiology, Inova Heart and Vascular Institute, Falls Church, VA, USA, explained, "Cyberattack of CIEDs could affect patients' confidentiality, interrupt remote monitoring, and even harm patients by changing device settings or promoting early battery depletion."

Consequently, St. Jude Medical/Abbott released a software patch for the radiofrequency communicator, which was successfully programmed remotely into nearly 100% of actively used Merlin@home™ radiofrequency communicators. The company later released firmware updates to strengthen cybersecurity performance in the devices themselves. This requires an in-person visit to the healthcare provider, but it takes only three minutes to complete and is rarely associated with complications. Still, the firmware has only been updated in 24% of eligible devices. Because no harm is known to have been caused by a CIED cyberattack, deferring the firmware update may not have been prioritized for many patients. Additionally, reports have emerged showing that the firmware update may cause irreversible device malfunction with an incidence of 0.003%.

When the patient arrived at the emergency department, she was asymptomatic, and her vital signs were normal. Device interrogation demonstrated the ICD programming had reverted to backup mode, and thus no electrocardiograms were recorded during her shocks. Her device had several radiofrequency connection/disconnection events with the Merlin@home™ system over a short period of time. This was detected as a potential cyberattack and the device entered backup mode to avoid cybersecurity vulnerabilities due to event queue overload (EQO). In backup mode, the device is automatically reprogrammed to treat any heart rhythm with a rate over 146 beats per minute (BPM) with a shock. Based on the patient's history of atrial fibrillation with rates over 150 BPM, inappropriate treatment of atrial fibrillation with rapid ventricular response is the most likely cause of her ICD shocks.

EQO events occur most frequently in the setting of an updated Merlin@home^TM software patch being used with outdated ICD firmware. This combination is currently in use in almost 75% of affected Abbott ICDs.

Device interrogation in the emergency department showed that the patient's defibrillator was in VVI backup mode with base rate of 67 beats per minute and ventricular fibrillation detection rate of 146 beats per minute (Credit: Heart Rhythm Case Reports).

The patient's ICD was reprogrammed to the original settings, the cybersecurity firmware was upgraded, and she was released from the emergency department.

"Physicians and their patients with affected Abbott devices now have another reason to consider updating their device firmware," said co-investigator Brett Atwater, MD, Director of Electrophysiology at Inova Heart and Vascular Institute in Falls Church, VA, USA. "While this is the first reported case, based on the reported frequencies of EQO events and the frequency of outdated firmware still in use in affected devices, other patients may experience similar events. This case highlights the importance of following FDA recommendations to update CIED firmware to protect not only against a cyberattack, but potentially even more importantly, to avoid unnecessary right ventricular pacing and ICD shocks."

The investigators recommend that the possibility of an inappropriate shock and/or unnecessary right ventricular pacing be incorporated into patient discussions about the risks and benefits of firmware update, to better assist shared decision making.

---

Notes for editors
The article is "Radiofrequency remote monitor software patch update without cybersecurity implantable cardioverter-defibrillator firmware update increases the risk of inappropriate implantable cardioverter-defibrillator therapies," by Xiaoxiao Qian, MD, Courtney J. Channels, NP, Stephen A. Gaeta, MD, PhD, FHRS, Marc H. Wish, MD, FHRS, Brewer Matthews, BS, Brett D. Atwater, MD, FHRS, and Vineet Kumar, MD, FHRS (https://doi.org/10.1016/j.hrcr.2021.12.016). It appears online in advance of Heart Rhythm Case Reports, volume 8, issue 2 (February 2022), published by Elsevier.

The article is openly available at https://www.heartrhythmcasereports.com/article/S2214-0271(21)00254-2/fulltext.

For additional information contact Jane Grochowski at +1 406 542 8397 or [email protected]. Journalists who wish to interview the case report authors should contact Xiaoxiao Qian, MD, at [email protected] or Vineet Kumar, MD, FHRS, at [email protected].

About Heart Rhythm Case Reports
Heart Rhythm Case Reports is an official Journal of the Heart Rhythm Society. It is an open access companion journal to the respected Heart Rhythm. It provides rapid online electronic publication of the most important current case reports, illustrations, and educational vignettes in the field of cardiac arrhythmias and electrophysiology. The Journal publishes case reports and series devoted to the diagnosis and treatment of heart rhythm disorders, as well as the electrophysiology of the heart and blood vessels. All articles are peer-reviewed. www.heartrhythmcasereports.com

About the Heart Rhythm Society
The Heart Rhythm Societyis the international leader in science, education, and advocacy for cardiac arrhythmia professionals and patients, and the primary information resource on heart rhythm disorders. Its mission is to improve the care of patients by promoting research, education, and optimal healthcare policies and standards. The Heart Rhythm Society is the preeminent professional group representing more than 6,500 specialists in cardiac pacingand electrophysiologyfrom more than 70 countries. www.HRSonline.org

About Elsevier
As a global leader in information and analytics, Elsevier helps researchers and healthcare professionals advance science and improve health outcomes for the benefit of society. We do this by facilitating insights and critical decision-making for customers across the global research and health ecosystems.

In everything we publish, we uphold the highest standards of quality and integrity. We bring that same rigor to our information analytics solutions for researchers, health professionals, institutions and funders.

Elsevier employs 8,100 people worldwide. We have supported the work of our research and health partners for more than 140 years. Growing from our roots in publishing, we offer knowledge and valuable analytics that help our users make breakthroughs and drive societal progress. Digital solutions such as ScienceDirect, Scopus, SciVal, ClinicalKey and Sherpath support strategic research management, R&D performance, clinical decision support, and health education. Researchers and healthcare professionals rely on our 2,500+ digitized journals, including The Lancet and Cell; our 40,000 eBook titles; and our iconic reference works, such as Gray's Anatomy. With the Elsevier Foundation and our external Inclusion & Diversity Advisory Board, we work in partnership with diverse stakeholders to advance inclusion and diversity in science, research and healthcare in developing countries and around the world.

Elsevier is part of RELX, a global provider of information-based analytics and decision tools for professional and business customers. www.elsevier.com.