October 10, 2025
The U.S. Food and Drug Administration (FDA) has issued a cybersecurity correction notice involving specific models of Abiomed’s Automated Impella Controllers (AICs) after identifying vulnerabilities that could allow unauthorized access or device disruption. Although this action is not classified as a recall, it has been designated a Class I correction—the most serious type—due to the potential risk of patient harm if the device were compromised.
Abiomed’s Impella systems are commonly used in cardiac and cardiovascular procedures to provide temporary mechanical circulatory support for patients with reduced heart function. The Automated Impella Controller manages the operation of these pumps during critical interventions, making continuous functionality essential to patient safety.
According to the FDA, cybersecurity testing revealed that certain controller configurations were vulnerable to network-based interference. If exploited, these weaknesses could lead to a loss of device control or an unexpected pump shutdown.
The FDA’s notice describes the issue as a potential cybersecurity exposure involving both network and physical access points.
While no patient injuries or confirmed cyberattacks have been reported, the agency classified the correction with high priority due to the potential consequences.
The affected devices include several models of the Automated Impella Controller and Impella Optical Controller that were distributed in the United States. Abiomed began notifying healthcare facilities in September 2025 and is currently deploying a software update to mitigate risk.
“This is not a mechanical failure but a digital vulnerability. The challenge now is that cybersecurity is becoming a core component of medical safety,” said an FDA cybersecurity analyst in the official release.
Abiomed has advised all healthcare institutions using the affected controllers to take immediate steps to reduce exposure:
1. Disconnect controllers from all network connections, including Wi-Fi and Ethernet interfaces, until the security update is installed.
2. Restrict physical access to the devices to authorized personnel only, even when the controller is not in use.
3. Monitor device behavior for unexpected alerts, communication failures, or control irregularities.
4. Implement isolation protocols in clinical environments to prevent potential cross-network intrusion.
5. Forward the correction notice to any sites or facilities that may have received redistributed units.
Abiomed’s field correction team will contact facilities to coordinate software updates and confirm implementation of mitigation measures.
This incident underscores the increasing convergence between medical device safety and cybersecurity. Devices that were once considered purely mechanical now operate as part of connected ecosystems—sometimes linked to hospital networks, data systems, or remote monitoring platforms.
Experts emphasize that as these devices evolve, cybersecurity should be integrated into patient safety protocols rather than treated as an IT issue.
“A secure medical device is a safe medical device,” said Dr. Karen Liu, a biomedical systems security specialist. “Regulators, manufacturers, and hospitals must collaborate to ensure that protective measures evolve as rapidly as the devices themselves.”
FDA’s Expanding Early Alerts Program
