Impella Heart Pump Cybersecurity Risks Result in FDA Recall Warning

Recall instructs facilities to immediately remove the affected devices from service and place them in quarantine until an Abiomed field representative can disconnect the controller from the network.

Federal regulators have announced a recall of certain Automated Impella Controllers, due to a cybersecurity vulnerability that could allow unauthorized system access and potentially lead to life-threatening injuries for patients.

The Impella heart pump is a small device that is inserted through the femoral artery in the leg and guided into the heart’s left ventricle to ensure a steady blood flow to vital organs during open heart procedures. It is only about the size of a pencil, and is controlled by an Automated Impella Controller (AIC), which interfaces with the catheter portion of the pump.

In recent months, the controller portion of these devices have been the subject of several recalls, including concerns that they may crack during insertion, as well as an issue with drive circuit assemblies not meeting proper specifications, resulting in at least one patient death in August.

The U.S. Food and Drug Administration (FDA) issued a correction notice on October 10, warning that certain Automated Impella Controllers contain network-accessible cybersecurity vulnerabilities that could allow an unauthorized user, either through hospital systems or direct physical access, to interfere with the pump’s essential functions. 

According to the agency, any disruption of blood flow caused by unauthorized access could result in hemodynamic instability, permanent injury or death.

Abiomed, the manufacturer of the Impella Heart Pump, has notified healthcare facilities that the following devices are affected:

• Impella Controller, Packaged, US, Product Code 0042-0000-US, UDI 00813502010022, all serial numbers
• Impella Optical controller, Packaged, US, Product Code 0042-0010-US, UDI 00813502010985, all serial numbers
• Optical, AIC, Impella Connect, Pkgd, US, Product Code 0042-0040-US, UDI 00813502011401, all serial numbers
• AIC w/Impella Connect for ECP, Product Code 1000432, UDI 00813502013030, all serial numbers
• Dbl Optical, AIC Impella Connect, Pkg US, Product Code 1000201, UDI 00813502010442, all serial numbers

Regulators emphasized that the devices are not being removed from the market, but must be quarantined in a secure environment until an Abiomed field representative disables network connectivity to prevent unauthorized access. Once disconnected from the network, the Impella controllers may remain in clinical use, as the pump function itself is not affected by removal from the network.

Healthcare providers who wish to disconnect devices before a field visit may contact ra-abm-fieldaction@its.jnj.com or their local Abiomed support team for proper instructions. Any suspected cybersecurity incidents involving the device should be reported to https://www.productsecurity.jnj.com/.

Abiomed is developing a security update to restore network use under safer conditions, and further instructions will be issued once the patch is available. Facilities experiencing device performance issues or adverse events are directed to contact Abiomed at 978-646-1400, or submit a report through the FDA MedWatch Safety Information and Adverse Event Reporting Program.

Medical Device Cybersecurity Threats

Cybersecurity threats to medical devices have become an increasing concern to the healthcare industry. In April 2024, the FDA released a report indicating that the agency oversaw safety compliance and improved recalls for more than 257,000 medical devices during the prior year.

These results were partially due to new safety guidelines that the FDA released in 2023, which were designed to prevent medical devices from being hacked. These guidelines were enacted following growing concerns about cyber threats, including the WannaCry8 ransomware virus that attacked hospital systems and medical devices around the world.

Earlier that year, several models of Illumina DNA sequencing devices were found to have cybersecurity flaws that could allow hackers to access patient information, federal regulators warned.

Impella Heart Pump Recalls

In addition to concerns about automated controllers, Impella heart pumps have faced a number of other recalls. In February, Impella RP and Impella RP Flex Heart Pumps with SmartAssist were recalled, due to the risk of contact between guidewires and other medical instruments, which could cause the heart pumps to shut down unexpectedly.

Abiomed recalled certain Impella Left Sided Blood Pumps in March 2023, after reports indicated the devices had caused nearly 50 deaths and about 130 injuries due to heart ventricle perforations.

That was one of three recalls that year involving the company’s heart pump systems. Another recall targeted the Impella 5.5 with SmartAssist pumps, which were linked to purge fluid leaks that could cause device failure, heart valve damage and serious patient harm, following 179 related complaints.

In June 2023, the FDA also announced a Class I recall for Impella RP Flex catheter systems, citing inadequate safety instructions about the risk of blood clots that had already resulted in 12 injuries.

In the wake of these actions, injured patients have begin pursuing potential Impella heart pump lawsuits, presenting claims that Abiomed knew about the devices’ safety issues but failed to warn doctors and patients.

Sign up for more health and legal news that could affect you or your family.