Implantable medical devices like pacemakers and defibrillators manufactured by St. Jude Medical were found to be vulnerable to online hacking, according to a Jan. 9 safety communication issued by the U.S. Food and Drug Administration (FDA).


The FDA reviewed information about vulnerabilities in the devices and confirmed that an unauthorized user could potentially hack into a St. Jude Medical’s device and alter it.


“Many medical devices—including St. Jude Medical’s implantable cardiac devices—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits,” the FDA warned on its site.


As a result, a hacker could modify the device and cause rapid battery depletion or the “administration of inappropriate pacing or shocks.”


The company’s implantable medical devices, which includes pacemakers, defibrillators and resynchronization devices, use a wireless transceiver called the Merlin@home to transmit data from cardiac devices to physicians. This enables physicians to monitor patients outside the office and make changes as needed.


While no harm related to cybersecurity vulnerabilities has been reported to the FDA, the consequences of a hack could be fatal to a patient using one of St. Jude Medical’s devices.


St. Jude Medical worked with the FDA and U.S. Department of Homeland Security to develop a patch released on Jan. 9 that addresses the issues.


“As medical technology advances, it’s increasingly important to understand how innovation and cyber security impact physicians and the patients we treat,” Dr. Leslie Saxon, chair of St. Jude Medical’s Cyber Security Medical Advisory Board, said in a statement. “We are committed to working to proactively address cyber security risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function.”


The new software patch will be automatically applied to all relevant devices as long as the transmitter is connected to the network.


“The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks,” the FDA said.


Claims of Hacking Risks Date Back to August


The recent software patch comes months after a report from investment researcher Muddy Waters and cybersecurity research firm MedSec Holdings Ltd. found a number of vulnerabilities in St. Jude Medical devices.


Immediately after the August report, St. Jude Medical aggressively denied the claims and filed a defamation lawsuit against the companies for intentionally disseminating false information.


Even after the lawsuit was filed, the companies held firm that their findings about the devices were true and needed to be addressed. Muddy Waters even launched a website in October called Profits Over Patients that follows the case as it progresses and aims to hold St. Jude Medical accountable.


The Jan. 9 announcement by the FDA and subsequent software patch serves as affirmation that their findings pushed St. Jude Medical to remediate the problem, the companies said.


“After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters,” Muddy Water said in a statement the day of the announcement. “This long-overdue acknowledgement, just days after completion of St. Jude’s sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients.”


Update Only Addresses Greatest Risks in St. Jude Devices


The software update from St. Jude Medical addresses major vulnerabilities, such as battery depletion and pacing changes, and reduces the risk of exploitation and patient harm


However, the update does not address some of the other serious issues raised by MedSec and Muddy Waters.


“We eagerly await remediation efforts on the multitude of severe vulnerabilities that remain unaddressed including the ability to issue an unauthorized command from a device other than the Merlin@home device,” MedSec said in a statement. “MedSec remains available to assist Abbott Laboratories during this process.”


Despite acknowledging the vulnerabilities and working on a patch, St. Jude Medical still faces a class-action lawsuit related to its device security. A man filed a lawsuit in the U.S. District Court for the Central District of California in late August, claiming that St. Jude Medical did not properly secure its devices against hacks.
The man seeks damages and a trial by jury.