- Certain St. Jude Medical implantable cardiac devices were found to have cybersecurity issues, according to recent findings from the Food and Drug Administration (FDA).
Pacemakers, defibrillators, and resynchronization devices help patients with irregular heart rhythms, the FDA said in a safety communication posted on its website. These devices “are implanted under the skin in the upper chest area with connecting insulated wires called ‘leads’ that go into the heart.
St. Jude’s Medical Merlin@home Transmitter specifically uses a home monitor that transmits and receives RF signals used to wirelessly connect to the patient's implanted device.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” the warning explained.
An altered transmitter could potentially be used to modify an implanted device’s programming commands, the FDA stated, “which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”
The FDA added that there have been no reports of these cybersecurity vulnerabilities leading to patient harm, and that St. Jude has developed and validated a software patch for the Merlin@home Transmitter.
“The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm,” the agency maintained. “The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.”
St. Jude said in its own statement that its improvements to the Merlin™ remote monitoring system “include security updates that complement the company’s existing measures.” There is already a low risk of cybersecurity vulnerabilities, but the changes continue to lower the risk in the devices.
“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board Ann Barron DiCamillo said in a statement. “Today’s announcement is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate.”
St. Jude has previously been accused of having medical device cybersecurity vulnerabilities, and even filed a lawsuit in the United States District Court for the District of Minnesota.
In August 2016, Muddy Waters released a report claiming that certain St. Jude cardiac devices have cybersecurity vulnerabilities that are “more worrying than the medical device hacks that have been publicly discussed in the past.” The devices could also be attacked within a 50 foot radius, the report said. These issues “are made possible by the hundreds of thousands of substandard home monitoring devices [St. Jude] has distributed.”
“The STJ ecosystem, which consists of Cardiac Devices, STJ’s network, physician office programmers, and home monitoring devices, has significant vulnerabilities,” Muddy Waters explained in a report summary. “These vulnerabilities highly likely could be exploited for numerous other types of attacks.”
St. Jude refuted the claims at the time, and said that wireless communication has an approximate 7-foot range once a device is implanted into a patient.
“To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient,” St. Jude said in an earlier statement. “In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.”