Federal regulators told pacemaker patients with certain implantable cardiac devices on Monday to follow instructions needed to fix cybersecurity vulnerabilities found in products made by St. Jude Medical.
The St. Paul, Minn.-based company issued security updates for its Merlin remote monitoring system Monday designed to fix flaws identified in a safety warning put out this week by the U.S. Food and Drug Administration.
Certain pacemakers, defibrillators and other products manufactured by St. Jude Medical were “vulnerable to cybersecurity intrusions and exploits,” including bugs that made vital cardiac implants prone to hacking, the FDA said.
The affected devices all use radio frequency signals in order to transmit and received personalized data between the inside of a patient’s body and a nearby monitoring station. By hijacking those transmissions, however, regulators determined that hackers could remotely execute malicious commands that affect the device’s ability to operate.
Despite being unaware of these vulnerabilities ever being exploited to cause harm, the FDA said hackers could have harnessed the flaws to rapidly deplete the battery of a patient’s pacemaker — a potentially lethal cyberattack if executed properly.
St. Jude said in a statement that all medical devices using remote monitoring are exposed to the risk of a potential cyberattack, but that patients can patch affected products against the bug by installing newly released security updates.
“The safety and security of patients is always our primary focus. We’ll continue to work with agencies, security researchers, physicians and others in the industry in a coordinated way to develop best practices and standards that further enhance the security of devices across the medical industry,” said Phil Ebeling, vice president and chief technology officer at St. Jude.
The updates issued Monday in congruence with the FDA’s alert came five months after Muddy Waters, a short-selling firm, issued a report that said St. Jude’s devices could be hacked with “potentially catastrophic attacks.” Citing the findings of cybersecurity firm MedSec Holdings, Muddy Waters said in August it expected St. Jude would be forced to recall several products and lose upwards of half its revenue in two years’ time due to the flaws.
St. Jude downplayed those findings, and subsequently sued the short-seller and security firm the following month. A pretrial conference hearing is currently scheduled for later this month in U.S. District Court for the District of Minnesota.
Nonetheless, Muddy Waters founder Carson Block said in a statement he believes the update “effectively vindicates” the allegations.
“It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities,” Mr. Block said. “Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”