Home » Merlin@home Transmitter

Merlin@home Transmitter

• More on Merlin@home Transmitter
  • Merlin@home Hackers
  • Merlin@home Transmitter Lawsuit

The Merlin@home transmitter system was designed to communicate with certain implantable cardiac devices marketed by St. Jude Medical, including implantable defibrillators, pacemakers, and cardiac resynchronization devices. The transmitter is part of a remote monitoring system that allows patient data to be transmitted to a doctor’s office.  In 2016, the investor group Muddy Waters announced it had taken a short position in St. Jude stock, and issued a report asseting that the Merlin@home system was especially vulnerable to computer hacks. The FDA confirmed the cybersecurity risk the following January.

What is Merlin@home

When a patient receives a St. Jude cardiac implant, it is often bundled with the Merlin@home system. The transmitter works in conjunction with the company’s data management system, the Merlin.net Patient Care Network, to remotely transmit patient data to their physician’s office.  According to St. Jude, remote monitoring increases the quality of patient care, improves clinical efficiency and substantially reduces health care costs. Clinical studies also suggest that remote monitoring reduces time to detect clinical events, reduces hospitalizations^, and reduces all-cause mortality over three years.

The components that make up the Merlin@home monitoring system include:

• Implantable Cardiac Device: Either a defibrillator, pacemaker or cardiac resynchronization device. These implants are indicated for use in patients with tachycardia and bradycardia, and are RF enabled to allow communication with Merlin@home devices and programmers.
• Patient Care Systems: Also called physician office programmers, they are designed to interrogate, program, display data and test St. Jude implantable devices. Every feature that can be changed in the implantable device can be done via the programmer. When the device is RF enabled, a wand is used to unlock the implant, allowing transmission of data to occur over RF.
• Merlin.net: The St. Jude network allows the transfer of data – including patient data, remote performance diagnostics, and device updates – between implanted devices, programmers, Merlin@home monitors, and physicians.
• Merlin@home Transmitter: About the size of a hardcover book, the monitor communicates with St. Jude’s implantable devices, and transmits the data to Merlin.net.

Merlin@home Cybersecurity

In August2016, the investor group Muddy Waters announced that it had taken a short position in St. Jude stock, meaning that it had made a financial bet that the price of the company’s shares would decline. The group’s decision to do so was based on alleged cybersecurity issues that it said made St. Jude’s implantable cardiac devices vulnerable to hacks. According to Muddy Waters, the most vulnerable component appeared to be the Merlin@home transmitter. The purported vulnerabilities were discovered by a cybersecurity research firm called MedSec, which conducted demonstrations for the investor group.

In a 33-page report, Muddy Waters claimed that the problems would ultimately result in the recall and remediation of St. Jude’s implantable cardiac devices, and alleged that over 50% of the company’s revenue could disappear over the next two years as a result.

St. Jude quickly and strongly denied all of the claims put forth by Muddy Waters, calling them “false and misleading.”  Nevertheless, the U.S. Food & Drug Administration and the Department of Homeland Security confirmed that they had launched an investigation of the issues raised by group’s report. Read More

The FDA review ultimately cybersecurity vulnerabilities in the Merlin@home system. St. Jude released software updates to resolve some of the issues. The company is working with Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to address the remaining vulnerabilities. Read More