- Successfully exploiting a medical device vulnerability found in certain St. Jude devices may give a remote attacker access to communication endpoints, according to a recent advisory from the Department of Homeland Security (DHS).
The follow-up advisory is meant to provide additional information to patients and healthcare providers, states the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) update.
“The affected product, the Merlin@home transmitter, allows for remote care management of patients with implanted cardiac devices through scheduled transmissions, patient-initiated transmissions, and daily monitoring,” ICS-CERT explains. “The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical’s web site, Merlin.net, are not verified. This may allow a remote attacker to access or influence communications between the identified endpoints.”
The advisory notes that there have been no known public exploits on this particular vulnerability, and that a highly skilled attacker would need to exploit it.
In response to the potential medical device vulnerability, St. Jude has developed an updated software version for the transmitters.
“The new version of the transmitter software, Version 8.2.2, will be automatically updated over a period of several months, when all models of the Merlin@home transmitters are connected to an Ethernet, WiFi, cellular network, or a landline,” the advisory reads. “St. Jude Medical recommends that users keep Merlin@home transmitters powered and connected at all times to receive this update and future updates.”
ICS-CERT added that St. Jude is continuing to work with it and the FDA to address additional security issues that have been found. Additional information products will be released as more data becomes available.
“ICS-CERT reminds Internet users that directly connecting any device to the Internet without explicitly controlling communication with or access to the connected device, significantly increases the risk of a cybersecurity-related event,” the advisory cautions.
Healthcare organizations and other entities in the public health sector should also perform a proper impact analysis and risk assessment before any defensive actions are deployed, ICS-CERT states.
The FDA had previously announced that if the cybersecurity vulnerabilities were exploited, it “could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter.”
Furthermore, an altered transmitter could potentially be used to modify an implanted device’s programming commands. This “could result in rapid battery depletion and/or administration of inappropriate pacing or shocks,” according to the FDA.
“The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm,” the agency stated. “The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.”
St. Jude explained that it was making updates to the Merlin system, including “security updates that complement the company’s existing measures.”
“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board Ann Barron DiCamillo said in a statement. “Today’s announcement is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate.”
This was not the first time that St. Jude faced criticism over potential medical device security issues.
Muddy Waters released a research report in August 2016 claiming that certain St. Jude cardiac devices have cybersecurity vulnerabilities that are “more worrying than the medical device hacks that have been publicly discussed in the past.” The devices could also be attacked within a 50 foot radius, the report said.