St. Jude Hacking Risks Lead To Creation of Cybersecurity Panel

Following indications that some of its remotely-accessible wireless medical implants may be vulnerable to hacking, St. Jude Medical has created an advisory panel on medical cybersecurity. 

The formation of the Cyber Security Medical Advisory Board (CSMAB) was announced in a press release issued October 17. The board members, which will advise St. Jude on cyber security risks, have not yet been selected.

The move comes after the FDA announced in August that it was investigating cyber security vulnerabilities in St. Jude pacemakers, after a report was released by Muddy Waters Capital LLC, outlining findings by MedSec Holdings. The report indicated that the company’s Merlin@home transmitter and Merlin.net PCN, which are used to transmit data from heart devices to physicians, “lacked even the most basic security defenses” such as encryption, anti-tampering devices and anti-debugging tools, which are used by other heart device manufacturers.

A day after the report was released, a St. Jude class action lawsuit was filed by Clinton W. Ross, Jr. seeking to represent all individuals who received certain St. Jude pacemakers or defibrillators with radiofrequency telemetry capability, saying they may contain security measures preventing outside intrusion.

“Our mission is to deliver innovative technologies that save and improve lives,” Dr. Mark Carlson, chief medical officer at St. Jude Medical, said in the press release. “We take the cyber security of our devices very seriously and creating the Cyber Security Medical Advisory Board is one more demonstration of our ongoing commitment to advancing standards of patient care around the world without comprising safety and security.”

Medical Device Cybersecurity Concerns

Cybersecurity threats to the medical field have been a growing concern over the last few years as vulnerabilities to healthcare organizations record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The Department of Health and Human Services (DHHS) manager, Jason Lay, has called the exposed vulnerabilities in the medical field a danger. Lay claimed the possibility of hacks to medical devices are a very real possibility, stating hackers could potentially tamper with medical devices and use them to gain access to healthcare organizations health record systems.

Additionally, in a demonstration at the RSA security conference in San Francisco in 2012, researchers were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.

The FDA has been actively working on improving cybersecurity in the medical field since 2013, when the White House issued Executive Order 13636, which called on the public and private sectors to collectively strengthen the gap in cybersecurity infrastructure. Since the order, the FDA issued its first guidance in October 2014, recommending medical device manufactures to incorporate strong anti-hack programs during the design stages of device development.

The agency proposed a second guidance on January 15, outlining important steps medical device manufacturers should take to proactively plan for and to assess vulnerabilities, to keep patients safe and better protect public health.