Dept. of Homeland Security Warns of New Merlin@home Hacking Vulnerability

Published on February 10, 2017 by Sandy Liebhard

A third-party security firm has uncovered yet another hacking vulnerability affecting  St. Jude Medical’s Merlin@home remote transmitter system. The company will be releasing a software update over the next several months to resolve the issue.

St. Jude Medical’s Merlin@home system is used in conjunction with many of the company’s implantable cardiac devices, and allows patients to wirelessly transmit data from their cardiac device to the Merlin.net Patient Care Network. The uploaded data can then be monitored by a physician to determine whether the patient’s implant is functioning properly.

Latest Merlin@home Cybersecurity Problem Affects Provider Transmitters

Last August, the Muddy Waters investment group published a report claiming that the Merlin@home transmitter suffered from significant cybersecurity vulnerabilities, predicting that St. Jude would be forced to recall implantable defibrillators and pacemakers that relied on the system. At the time, the company strongly denied the allegations put forth by the group. Last month, however, the U.S. Food & Drug Administration confirmed vulnerabilities that could enable hackers to alter the Merlin@home transmitter in a way that would allow access to a patient’s implantable device.  While no actual hacking had been reported, St. Jude released a software patch to resolve some of the problems.

This latest problem involves certain Merlin transmitters used by healthcare providers to obtain device data from multiple patients. According to an alert issued on Monday by the U.S. Department of Homeland Security (DHS), the specific  vulnerability could  allow hackers to launch a “man-in-the-middle” attack to access or influence communication between an implantable cardiac device a and Merlin.net. Fortunately, there have been no known instances of hackers exploiting this vulnerability.

“The new version of the transmitter software, Version 8.2.2, will be automatically updated over a period of several months, when all models of the Merlin@home transmitters are connected to an Ethernet, WiFi, cellular network, or a landline,” the DHS alert states. “St. Jude Medical recommends that users keep Merlin@home transmitters powered and connected at all times to receive this update and future updates.”