News Feature | January 25, 2017

St. Jude's Releases Updates After FDA Confirms Its Cardiac Devices Can Be Hacked

Christine Kern

By Christine Kern, contributing writer

FDA Draft Guidance

Abbott Labs to release a patch after vulnerabilities made the devices open to malicious attacks.

An FDA Safety Communication issued January 9 reveals the agency found cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and Merlin@home Transmitter. The safety alert stated these devices “contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits” that can result in increased risk of exploitation as the devices are interconnected via the Internet, hospital networks, other medical devices, or smartphones.

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks,” continues the warning.

The Department of Homeland Security's industrial control systems cyber emergency response team issued an advisory saying a highly-skilled hacker could remotely exploit a “Man in the Middle” vulnerability in a Merlin@home system to issue malicious commands. This scenario occurs when a digital systems does not properly authenticate the sender of remote messages, allowing hackers to issue damaging commands to the pacemaker posing as an authentic source via the Merlin@home system. According to The Homeland Security notice, MedSec Holdings had correctly identified the “Man in the Middle” vulnerability in St. Jude devices.

Abbot Laboratories, which recently acquired St. Jude Medical for $23 billion, has since announced the release of a patch to correct the vulnerabilities, according to The Star Tribune. “We've partnered with agencies such as the U.S. Food and Drug Administration and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team unit and are continuously reassessing and updating our devices and systems, as appropriate,” says Phil Ebeling, the St. Jude executive who became chief technology officer for Abbott's cardiovascular-device business.

FDA spokeswoman Angela Stark says, “The patch is intended to reduce the risk of unauthorized individuals exploiting the vulnerability and support patient safety. The FDA has maintained this focus on addressing patient safety first and foremost throughout its investigation.” However, Carson Block, founder of financial research and trading firm Muddy Waters, which initially revealed the vulnerabilities, says, “The announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”

“We eagerly await remediation efforts on the multitude of severe vulnerabilities that remain unaddressed, including the ability to issue an unauthorized command from a device other than the Merlin@home device,” MedSec CEO Justine Bone wrote in a blog post.

St. Jude spokeswoman Candace Steele Flippin declined to identify specific issues, but told Reuters, “The cybersecurity landscape is evolving. St. Jude Medical has worked with, and continues to work with, the FDA and DHS to update and improve the security of our technology.”