FDA Offers Advice for Hacking Risks With St Jude Cardiac Devices

Patrice Wendling

January 09, 2017

The US Food and Drug Administration (FDA) today issued a Safety Communication to reduce the risk of patient harm due to cybersecurity vulnerabilities associated with St Jude Medical's radio-frequency–enabled implantable cardiac devices and corresponding Merlin@home Transmitter[1].

After months of reviewing information, the FDA confirmed there are "vulnerabilities" that if exploited could allow an unauthorized user to "remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter."

The FDA said there has been no reports of patient harm related to the cybersecurity vulnerabilities but that if hacked, the "transmitter could be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate shocks."

St Jude Medical also today released a cybersecurity software patch that will be automatically pushed to the Merlin@home Transmitter. "The update includes additional validation and verification between Merlin@home devices and Merlin.net," according to a St Jude Medical press release[2].

Patients and their caregivers only need to make sure the transmitter remains plugged in and connected to the Merlin.net network to receive the update, the FDA notes. The agency also recommends physicians:

  • Continue to conduct in-office follow-up, per normal routine, for patients with cardiac devices monitored with the Merlin@home Transmitter.

  • Remind patients to keep their Merlin@home Transmitter connected to ensure receipt of necessary patches and updates.

  • Contact St Jude Medical's Merlin@home customer service at 877-My-Merlin or visit www.sjm.com/Merlin for additional information.

Patients are also advised to follow labeling instructions provided with the transmitter and to consult with their physician(s) for routine care and follow-up.

The recommendations come after months of speculation following claims in August 2016 by the San Francisco-based Muddy Waters Capital that St Jude's cardiac devices were susceptible to cyber attacks. St Jude's stock tumbled at the time, but the hacking claims did not stop last week's acquisition of St Jude, one of the world's largest device makers, by Chicago-based Abbott Laboratories.

"The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter and has determined that that the health benefits to patients from continued use of the device outweigh the cybersecurity risks," the FDA report states.

Muddy Waters was quick to respond to today's actions by the FDA and St Jude, writing in a statement, "This long-overdue acknowledgement, just days after completion of St Jude's sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants."[3]

Follow Patrice Wendling on Twitter: @pwendl. For more from theheart.org, follow us on Twitter and Facebook.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.