The U.S. Food and Drug Administration (FDA) released a safety communication Tuesday about cybersecurity vulnerabilities in some St. Jude Medical cardiac devices and the Merlin@home transmitter after it was confirmed the devices could possibly be remotely accessed by unauthorized people.
The FDA confirmed that unauthorized people could “remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” possibly causing patients to be harmed. The vulnerabilities would permit a hacker to deplete the battery on implanted devices, alter pacing, or trigger shocks.
The FDA said that there have been no reported cases where cyber security flaws which are being used to inflict harm to patients to date and patients have been advised to continue using the devices as advised by their healthcare suppliers.
A patch to address the vulnerabilities has been developed and will be automatically applied this week. However, in order for the Merlin@home device to be updated it must be left plugged in and linked to the Merlin Network.
The cybersecurity flaws were discovered by experts at MedSec as part of a study into cybersecurity measures used to safeguard implantable medical devices. MedSec passed on details of the research to Muddy Waters last summer. In August 2016, Muddy Waters released a report criticizing St. Jude Medical for allowing ‘stunning cybersecurity flaws’ to remain unaddressed in its Merlin@home system and its connected defibrillators and pacemakers. St. Jude Medical denied the allegations and sued Muddy Waters for disseminating ‘false and misleading’ data.
However, since the revelations were released in August, Abbott Laboratories, which recently purchased St. Jude Medical in a $25 billion deal, has been conducting its own investigations into device security. Abbott Laboratories has worked closely with both the FDA and the Department of Homeland Security to ensure that its pacemakers, defibrillator devices, and their connected systems are adequately protected and access by unauthorized individuals is prevented. The FDA has reviewed the software patch and has confirmed that it addresses the “greatest risks” and minimizes the potential for exploitation and patient harm.
Carson Block, founder of Muddy Waters, published a statement about the FDA announcement stating it “reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.” However, while critical security vulnerabilities have been addressed, Block said “the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”
In a release issued released, the FDA reminded consumers that “any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users.” The FDA added “the increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.”