The U.S. Food & Drug Administration (FDA) has confirmed that certain implantable cardiac devices manufactured by St. Jude Medical are vulnerable to hacking. The devices in question, including pacemakers and defibrillators, are bundled with the Merlin@home system, which enables doctors to remotely monitor performance of the implants.
According to an FDA Safety Communication issued earlier today, the hacking vulnerabilities identified by its recent review could allow an unauthorized user to access implanted cardiac devices by altering the Merlin@home Transmitter. The altered transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.
So far, there have been no reports of patient injuries related to this issue. However, St. Jude has released software updates to resolve some –though not all–of the problems. To receive the updates, patients must be connected with the Merlin@home network via the transmitter. St. Jude is working with Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to address the remaining issues. In the meantime, the FDA’s communication includes a number of recommendations to assist patients and their doctors in mitigating any risk associated with the affected pacemakers and defibrillators.
Concerns over Merlin@home hacking were first raised last August, when the Muddy Waters investment group published a report claiming that the system suffered from significant cybersecurity vulnerabilities. Muddy Waters predicted that St. Jude would be forced to recall implantable defibrillators and pacemakers that relied on Merlin@home monitoring. At the time, the company strongly denied the allegations put forth by the group.
“As medical technology advances, it’s increasingly important to understand how innovation and cyber security impact physicians and the patients we treat,” Dr. Leslie Saxon, chair of St. Jude Medical’s Cyber Security Medical Advisory Boar said in a statement issued by the company today. “We are committed to working to proactively address cyber security risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function.”
“The safety and security of patients is always our primary focus. We’ll continue to work with agencies, security researchers, physicians and others in the industry in a coordinated way to develop best practices and standards that further enhance the security of devices across the medical industry,” he continued.