
Medical Device R&D and Manufacturer

Cardiac System Medical Device Developer

On October 10, 2025, an urgent announcement from the U.S. FDA shook the medical community:Johnson & Johnson Medical Technology's Automatic Impella Controller (AIC) Initiated Due to Significant Cybersecurity RisksClass I Recall—— This is the highest safety level recall, meaning that if the vulnerability is exploited, it could directly lead to patient death.This time, more than 100,000 devices worldwide are affected, covering key treatment scenarios in cardiology and cardiac surgery.
The recalled AIC is the "brain" of the Impella heart pump, which is known as a "wearable artificial heart." It can pump 5 liters of blood per minute, replacing 80% of heart function, and is widely used in emergency heart failure treatment and high-risk cardiac surgeries. Clinical research from Wuhan Union Hospital shows that such devices can improve the surgical safety of high-risk coronary heart disease patients by over 30%, provided the controller operates with precision.
FDA Warning: Hackers Can Tamper with Device Parameters Through Vulnerabilities, Causing Pumping Rhythm Disorders. Although no attack has occurred so far, the lessons from the 2017 WannaCry virus that paralyzed 248 medical institutions in the UK and the 2021 ransomware attack on Ireland's health system remain vivid. "Once medical devices are compromised, patient lives are at stake," emphasized the FDA's device security chief.
Unlike a conventional recall, Johnson & Johnson is now requiring usersNo need to return the device, but the AIC must be immediately removed from the hospital’s intranet and stored in a physically isolated secure environment. Representatives from Johnson & Johnson will individually coordinate with medical institutions to assist in completing the network disconnection operation, and the subsequent repair plan is yet to be determined.

This special handling has sparked speculation in the industry: if completely discontinued, tens of thousands of patients worldwide who rely on Impella would face treatment interruptions. Johnson & Johnson stated that "the device can continue to be used," but admitted the flaw was unexpectedly discovered during an internal assessment. Moreover, the device has been clinically applied for 15 years without ever undergoing systematic cybersecurity upgrades.
More unsettling is that this is already the FDA's fourth notification regarding issues with the Impella series in three months:
Timeline points to the 2022 acquisition of Abiomed by Johnson & Johnson for $16.6 billion — the Impella technology originally belonged to Abiomed, and after the acquisition, Johnson & Johnson failed to complete the integration of the safety system. Industry analysts have pointed out: "The lifecycle of medical devices often lasts 15-20 years, and if the cybersecurity risks of older systems are not assessed at the time of acquisition, a crisis will eventually erupt."

This incident is not an isolated case. Data from the FDA and the Department of Homeland Security (DHS) in 2024 shows that cyberattacks on medical devices have increased by 40% annually, with vulnerabilities reported in insulin pumps and pacemakers. Xinhua News Agency criticized some manufacturers for "prioritizing sales over security" and failing to establish vulnerability monitoring mechanisms as required by the 2016 FDA guidelines.
Director of the Information Department at Xuanwu Hospital warned: "If hospitals adopt a static mindset for protection, they are highly vulnerable to ransomware attacks. Life-saving devices like Impella must establish dual defenses of physical isolation + real-time monitoring."
Ordinary patients do not need to panic. Currently, most Impella devices used in Chinese hospitals are new models from after 2023. Johnson & Johnson Medical (China) Ltd. has responded, "We are investigating the equipment involved in China." However, caution is needed: if any medical device prompts a "system update," do not ignore it — it might be addressing a critical vulnerability.
When "Artificial Heart" Connects to the Internet, Cybersecurity Becomes a Lifeline. Does your hospital have a medical device security management system in place? Feel free to share your insights in the comments section.