It was recently discovered that certain pacemakers, defibrillators, and other devices manufactured by St. Jude Medical contained vulnerabilities that could leave them prone to hacking. According to the Food and Drug Administration (FDA), “The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter.”
As a result of these discovered flaws, St. Jude Medical released a security patch on Monday for the Merlin remote monitoring system. St. Jude issued a statement acknowledging the potential risk of a cyber attack to remote monitoring systems, but also stated that the bug can be patched with the new update. The FDA said in their statement that the patch will be automatically applied, and that patients and caregivers simply need to ensure that the device stays plugged in and remains connected to the Merlin.net network for it to be received. They also stated that they reviewed the patch to ensure that it addressed the greatest risks of these security flaws, and that it reduced the risk of exploit and patient harm. In addition, an assessment of benefits and risks was conducted, in which it was found that the health benefits of the device outweigh the potential cybersecurity risks.
While the updates in response to the FDA’s warning are of great benefit, they also come five months after the short-selling firm, Muddy Waters, had issued a report that St. Jude’s medical devices could potentially be hacked. The report cited findings from cyber security firm, MedSec Holdings. St. Jude had stated that the claims were not true, and in turn, sued Muddy Waters, as well as the short seller. Carson Block, founder of Muddy Waters said in a statement that the announcement on Monday “vindicates” the research from the firm. He also stated, “It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”
Moving Forward With Medical Technology
Being that our society is more reliant than ever on cyber technology, it is important that we remain vigilant in regard to potential cyber threats. Especially in a realm like medical devices, where cybersecurity could potentially be the difference between life and death. While St. Jude’s haste in patching the flaws stated by the FDA warning is commendable, it is also concerning that the previous claims of vulnerabilities were not given the attention deserved.