The Food and Drug Administration (FDA) issued an alert on Monday warning that patients with a radio frequency (RF)-enabled St. Jude Medical implantable cardiac device, as well as a complementary Merlin@home Transmitter, is at risk due to hacking.
The pacemakers and other implantable cardiac devices themselves are not vulnerable, the FDA explained. Rather, the vulnerability lies in the home monitors, the Merlin@home Transmitters made by St. Jude Medical. These transmitters send data – via a wireless RF signal – from the patients’ devices to a cloud server on the Merlin.net Patient Care Network, where medical personnel can access the information.
The FDA claimed that the Merlin monitors might be hacked by malicious intruders to send signals that might disrupt the devices’ intended operations, putting patients at risk.
Following a cyberintrusion, the FDA wrote, “The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”
Fortunately, the FDA added, there have been no instances of patient harm owing to such a hack. St. Jude Medical has upgraded the Merlin@home Transmitter with a software patch to address the flaw, and is rolling out the upgrade automatically beginning Jan. 9.
The devices received attention beginning last August after a cybersecurity firm, MedSec, partnered with a venture capital firm, Muddy Waters, to publicize the devices’ susceptibility to hacking.
As St. Jude’s was at the time in the midst of an acquisition by Abbott, stock trading and lawsuits ensued. Abbott’s acquisition of St. Jude Medical was completed earlier this month.
“After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters,” Carson Block, CEO at Muddy Waters Capital, told SC Media on Monday in an emailed statement.
Block added that her company’s disclosure instigated the review of the product and ultimately the upgrade.