US Food and Drug Administration, FDA, St. Jude Medical Inc.

Washington, DCThe manufacturer of an implantable cardiac device recently caught in the crosshairs of a cybersecurity concern issued from the US Food and Drug Administration (FDA), continues to deal with reports of premature failure of ICD batteries. St. Jude Medical Inc. warned in early October that while the situation, in its estimation is rare, the early failure of batteries in their implanted defibrillators have caused two deaths.

One of those deaths was in the US.

Implantable cardioverter defibrillators (ICDs) run on batteries that carry a relatively long shelf life. When ICD batteries begin to show their age, the ICD emits a gentle vibratory alert letting the patient know it’s time to contact their healthcare provider and initiate arrangements to have the batteries replaced.

Under normal circumstances, that first alert is provided three months ahead of the point at which batteries could actually begin to fail, putting the patient at risk. Three months, with the batteries working optimally, represents sufficient time for patients and their caregivers to respond in adequate time.

However, it has since been determined that some ICD batteries have been found to have a buildup of lithium deposits, potentially causing a short that dramatically limits the advance warning time. In such cases, patients are not warned of a pending battery failure until 24 hours ahead of the point of absolute failure. In that time, it may be too little time to contact caregivers and healthcare providers, and to make arrangements for battery replacement before the ICD batteries fail outright.

Of 841 ICDs returned for analysis, 46 presented with visible clusters of lithium that can foster a short.

In October the FDA recommended that patients reach out to their doctors immediately upon receiving the first vibratory battery life alert, just in case the patient’s device was one affected by the lithium deposits, drastically limiting the response time prior to total catastrophic failure. In the same report, the FDA suggested it was prudent to utilize the Merlin@home remote transmitters to help identify problems with ICDs and ICD batteries. That report, issued October 11, came several weeks after reports surfaced in late summer about speculation regarding security weaknesses associated with the remote devices, and thus the potential for hacking.

That report was issued in August of last year, and the FDA was silent on the issue.

The agency no longer is, issuing a report on January 9 noting that speculation in late summer about the potential for cyber hacks associated with St. Jude ICDs is more than mere speculation.

The issues “could allow an unauthorized user...to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home transmitter [to] modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks,” the FDA said.

So far, there have been no reports of such tampering according to the FDA, adding that a software patch had been created and available to the ICD through an automatic download, provided the device is properly connected remotely to accept software patches.

A putative class action was launched in California in August, alleging inadequate security.

Meanwhile ICD lawyers are bracing for ICD battery lawsuits.