St. Jude Medical on Monday released a set of cybersecurity updates for the Merlin remote monitoring system which is used with implantable pacemakers and defibrillator devices. This follows initial denials by the company that security flaws existed, and after a legal battle between the company and MedSec.
In September 2016, St. Jude Medical Inc sued short-selling firm Muddy Waters and cybersecurity company MedSec Holdings Ltd, saying they intentionally disseminated false information about its heart devices to manipulate its stock.
This security update comes five months after the U.S. government launched a probe into claims the devices were vulnerable to potentially life-threatening hacks. “The improvements include security updates that complement the company’s existing measures and further reduce the extremely low cyber security risks,” said St. Jude in the statement announcing the updates. “All medical devices using remote monitoring are exposed to the risk of a potential cyber security attack,” the company added.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the U.S. Food and Drug Administration (FDA) also released statements on Monday addressing the same issue.
In its statement, the FDA said:
“Many medical devices—including St. Jude Medical’s implantable cardiac devices—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”
According to the agency, it has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.
According to the FDA, it has reviewed St. Jude Medical’s software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm. The FDA said it conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.
In its statement, ICS-CERT said MedSec Holdings identified a channel accessible by non-endpoint (“man-in-the-middle”) vulnerability in St. Jude Medical’s Merlin@home transmitter. St. Jude Medical has validated the vulnerability and produced a new software version that mitigates this vulnerability. A third-party security research firm has verified that the new software version mitigates the identified vulnerability.
This vulnerability could be exploited remotely. An attacker with high skill would be able to exploit this vulnerability. Successful exploitation of this vulnerability may allow a remote attacker to access or influence communications between Merlin.net and transmitter endpoints.
ICS-CERT recommends that patients and healthcare providers evaluate the impact of this vulnerability based on their specific usage after reviewing the information referenced in this advisory and to contact the vendor for assistance with any questions or concerns related to this vulnerability.
“We’ve partnered with agencies such as the U.S. Food and Drug Administration and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team unit and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.