FDA urges patients to implement patch to secure their cardiac implants

Patients who have been implanted with pacemakers and defibrillators manufactured by US-based St. Jude Medical are urged to make sure that their Merlin@home Transmitter unit is plugged in and connected to the Merlin.net network, so that it can receive a critical security patch.

The alert comes both from the company and the US Food and Drugs Administration (FDA). The latter has been notified of vulnerabilities in these specific company products, has reviewed the provided information, and “has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter.”

“The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks,” the FDA explained.

They added that they have reviewed the software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and that they will “continue to assess new information concerning the cybersecurity of St. Jude Medical’s implantable cardiac devices and the Merlin@home Transmitter.”

St. Jude Medical pushed out the patch on Monday, but did not offer information on which vulnerabilities have been fixed. They have also announced more product updates in 2017.

Muddy Waters Research, an investment firm that researches public companies and which has, with the help of MedSec researchers, unearthed and disclosed many of these serious vulnerabilities last year, is not impressed with the patch.

“After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement that effectively vindicates the research published by MedSec and Muddy Waters. This long-overdue acknowledgement, just days after completion of St. Jude’s sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients,” the company noted.

“It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”

St. Jude Medical says that it “is not aware of any cyber security incidents related to a St. Jude Medical device, nor is it aware that any specific St. Jude Medical device or system in clinical use has been purposely targeted.”