FDA Warns of Cybersecurity Holes in Certain Cardiac Devices and Monitoring System

St. Jude Medical is issuing a software patch today that they say will reduce the risk of an unauthorized user causing harm.

The US Department of Homeland Security has identified vulnerabilities in the cybersecurity of radio frequency-enabled implantable cardiac devices and a corresponding remote-monitoring system called Merlin@home, according to a safety communication released today by the US Food and Drug Administration (FDA).

Manufactured by St. Jude Medical, the products in question include pacemakers, defibrillators, and resynchronization devices that are connected to a Merlin@home transmitter and ultimately a patient’s provider using a cellular, landline, or wireless Internet connection. The FDA identified the possibility of remote software manipulation by an unauthorized user that could “result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”

Today’s announcement comes after months of denials by St. Jude Medical—which was formally acquired by Abbott last week—that its devices were vulnerable to cyber-attacks. This charge levied by Muddy Waters Capital and cyber security firm MedSec Holdings Ltd, which took the unusual step of posting videos online showing how the devices could be hacked. In August, St. Jude sued both companies over the allegations. Today, a statement issued by Muddy Waters says the announcement “effectively vindicates” their research and “reaffirms our belief that the company puts profits over patients.” The statement adds that the firms do not believe the fixes announced today will fully protect the technology from cyber-attacks.

While no known exploitative acts have yet been committed and no patients have knowingly been harmed by these vulnerabilities, the manufacturer has developed a software patch that they say will increase cybersecurity. It will be available to all users of these devices today.

According to a press release from St. Jude Medical, “All medical devices using remote monitoring are exposed to the risk of a potential cyber security attack. . . . In recognition of the changing cyber security landscape and the increased public attention on highly unlikely medical device cyber risks, we are informing the public about these ongoing actions so that patients can continue to be confident about the benefits of remote monitoring.”

The company urges that device users make sure their Merlin@home unit is plugged in and connected in order to receive today’s software as well as future updates.

Addressing the lingering distrust that may arise in some even after the software update, the FDA says it has reviewed the patch and conducted an assessment of the transmitter and has determined “that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.”

  • Food and Drug Administration. Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication. http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm?source=govdelivery&utm_medium=email&utm_source=govdelivery. Published and accessed on: January 9, 2017.

  • St. Jude Medical Announces Cybersecurity Updates. http://media.sjm.com/newsroom/news-releases/news-releases-details/2017/St-Jude-Medical-Announces-Cybersecurity-Updates/default.aspx. Published and accessed on: January 9, 2017.