FDA Confirms Claim Of Cybersecurity Vulnerabilities In St. Jude Devices
On Monday, the U.S. Food and Drug Administration confirmed a claim made in August 2016 that a large number of cardiovascular devices produced by St. Jude Medical are vulnerable to cyberattacks. However, St. Jude said a patch is in place to address the risk.
The accusation against St. Jude, now owned by Abbott Laboratories as of last week, was originally made by short-selling firm Muddy Waters and research firm MedSec. The firms, which stood to profit from a decline in St. Jude’s share price, released numerous videos that purportedly demonstrated the cybersecurity vulnerabilities of St. Jude’s Merlin@home remote heart monitoring system.
With the use of a landline, cellular or wireless internet connection, Merlin could send data from a pacemaker, defibrillator and other resynchronization devices to a patient’s physician for continuous monitoring. Yet, as more and more implantable devices become interconnected with smartphones, hospital networks and other medical devices, concerns of cybersecurity intrusions and exploits have been raised.
In St. Jude’s case, according to the FDA, the Merlin@home Transmitter could be exploited and used to modify programming commands to an implanted device. The result of a cybersecurity breach of this sort could result in rapid battery depletion and/or administration of inappropriate pacing or shocks to one’s heart, the FDA said.
So far, no reports of patient harm have come out in relation to cybersecurity vulnerabilities.
On the same day as the FDA’s report, St. Jude said it had developed a software patch for the Merlin@home Transmitter that it would make immediately available. Patients and caregivers would just need to connect their Merlin@home Transmitter to the Merlin.net network to receive the patch.
“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security,” said Ann Barron DiCamillio, former director of the U.S. Computer Emergency Readiness Team, in a statement. DiCamillio is also an advisor on St. Jude’s Cyber Security Medical Advisory Board, which the company created in October to address the continuous vulnerability claims being made by Muddy Watters and MedSec.
Meanwhile, Muddy Waters and MedSec—both of which are locked in a defamation lawsuit with St. Jude—are saying St. Jude’s latest patch isn’t the fix it claims to be.
“The announced fixes do not appear to address many of the larger problems,” Muddy Waters said in a blog post, “including the existence of a universal code that could allow hackers to control implants.”
In a separate blog post, MedSec CEO Justine Bone said, “We believe our actions, which always sought to protect detailed vulnerability information, have finally resulted in St. Jude Medical taking responsibility for the extensive security problems in their technology.”
Similarly to Muddy Waters, Bone added that her firm is “eagerly awaiting remediation efforts on the multitude of severe vulnerabilities that remain unaddressed including the ability to issue an authorized command from a device other than the Merlin@home device.”