St. Jude Heart Implant Cybersecurity Problems Result in Software Update

St. Jude’s implantable cardiac devices are vulnerable to wireless hacking, due to a lack of cybersecurity in the company’s Merlin@home transmitter, according to warnings issued this week by federal regulators. 

The FDA issued a safety communication on Monday, indicating that St. Jude heart implant cybersecurity problems may subject the devices to intrusions and exploits. The warning comes after a review the agency began in August 2016.

The investigation began after a report was released by Muddy Waters Capital LLC, outlining findings by MedSec Holdings that suggested the St. Jude’s Merlin@home transmitter and Merlin.net PCN, which are used to transmit data from heart devices to physicians, “lacked even the most basic security defenses” such as encryption, anti-tampering devices and anti-debugging tools, which are used by other heart device manufacturers.

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” the FDA concluded in the safety communication. “The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”

In response to the concerns, St. Jude formed a Cyber Security Medical Advisory Board in October 2016. On Monday, the company announced in a press release that it was releasing a cybersecurity update for Merlin@home to patch some of the holes in its security.

The update includes additional validation and verification measures between Merlin.net and Merlin@home, and is one of a number of updates the company expects to release this year, according to the press release.

The FDA announced that it has reviewed the updates to ensure they address the greatest risks and reduced the risk of harm, and determined that the benefits of the Merlin@home system outweigh cybersecurity risks.

Both the FDA and St. Jude indicated there had been no reports of actual hacking incidents associated with the implants.

The cybersecurity problems come as patients are continuing to deal with a recent St. Jude ICD and CRT-D recall issued last year, due to battery problems with hundreds of thousands of Fortify, Unify and Assura heart implants.

The FDA classified that action as a Class I recall, due to the serious risk of injury or death if the battery suddenly fails, resulting in the need for devices to be replaced.

Medical Device Cybersecurity Concerns

Cybersecurity threats to the medical field have been a growing concern over the last few years as vulnerabilities to healthcare organizations’ record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The Department of Health and Human Services (DHHS) manager, Jason Lay, has called the exposed vulnerabilities in the medical field a danger. Lay claimed the possibility of hacks to medical devices are a very real possibility, stating hackers could potentially tamper with medical devices and use them to gain access to healthcare organizations health record systems.

Additionally, in a demonstration at the RSA security conference in San Francisco in 2012, researchers were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.

The FDA has been actively working on improving cybersecurity in the medical field since 2013, when the White House issued Executive Order 13636, which called on the public and private sectors to collectively strengthen the gap in cybersecurity infrastructure. Since the order, the FDA issued its first guidance in October 2014, recommending medical device manufactures to incorporate strong anti-hack programs during the design stages of device development.

The agency proposed a second guidance on January 15, 2016, outlining important steps medical device manufacturers should take to proactively plan for and to assess vulnerabilities, to keep patients safe and better protect public health.