St. Jude issues security patch for vulnerabilities in cardiac device remote monitoring platform

The FDA and St. Jude recently announced a security patch for their Merlin@Home transmitter used to remotely monitor implanted cardiac devices like pacemakers and ICDs.

Cybersecurity in healthcare has gotten a lot more attention in recent years. High profile ransomware attacks on health systems have garnered national headlines. And as an increasing number of medical devices are becoming “connected,” the threat of bad actors exploiting security vulnerabilities to harm patients has been highlighted by regulators among others.

Last year, security research firm MedSec released a report claiming to have identified numerous vulnerabilities in St. Jude implantable cardiac devices. That report however, was widely criticized for possible bias since MedSec licensed the study to a financial firm that made a big bet on St. Jude stock prices falling based on these findings. Researchers from the University of Michigan also cast some doubt on the accuracy of the report, though MedSec reported that they deliberately withheld some details from the public for safety reasons.

In a statement, the FDA acknowledged that their own investigation had confirmed at least some of the vulnerabilities and that they could allow a hacker to tamper with implanted devices, causing inappropriate shocks or rapid battery depletion.

The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e. someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.

On the same day, St. Jude announced that they were pushing a software patch to the affected remote transmitters, cleared by the FDA, to address those problems.

These kinds of risks are only likely to grow as all kinds of medical devices become connected, though level of risk certainly varies. The FDA recently issued guidelines for post-market cybersecurity surveillance to try to proactively address some of these issues. Realistically, though, it’s unlikely that this is the last time we hear about these kinds of issues affecting medical devices.

Source: FDA Advisory