2 Agencies Issue Alerts on St. Jude Medical Cardiac DevicesProducts Were Highlighted in Controversial 2016 Cybersecurity Report by Investment Firm
The Food and Drug Administration and the Department of Homeland Security have issued alerts about cyber vulnerabilities in certain cardiac devices made by St. Jude Medical. The company, recently acquired by Abbott Laboratories, has issued software updates to address the problems.
An FDA spokeswoman says the devices at the center of the FDA alert are the same St. Jude cardiac products that were spotlighted as having cyber vulnerabilities in a controversial report issued last year by investment firm Muddy Waters Capital and start-up research firm MedSec Holdings (see Report on Cardiac Device Cyber Vulnerabilities Fuels Debate).
A related alert, DHS' Industrial Control Systems Cyber Emergency Response Team, notes: "MedSec Holdings has identified a channel accessible by non-endpoint [or] 'man-in-the-middle' vulnerability in St. Jude Medical's Merlin@home transmitter. St. Jude Medical has validated the vulnerability and produced a new software version that mitigates this vulnerability. A third-party security research firm has verified that the new software version mitigates the identified vulnerability. This vulnerability could be exploited remotely. An attacker with high skill would be able to exploit this vulnerability."
Source of Controversy
While the Muddy Waters report highlighted potentially important cybersecurity issues concerning the St. Jude medical devices, the manner in which the research was released - by an investment company - and its financial arrangement with "ethical hacker" MedSec, which found the vulnerabilities, was unprecedented.
Typically, when independent researchers discover cybersecurity vulnerabilities in medical devices, they notify federal agencies, including the FDA or the Department of Homeland Security, as well as the affected manufacturers before disclosing the flaws.
But that's not what happened in the Muddy Waters/MedSec disclosure about cyber flaws found in the St. Jude cardiac devices, FDA confirms in a Jan. 9 statement provided to Information Security Media Group.
"When it comes to cybersecurity, the FDA's primary focus must be protecting patients. Disclosing information about potential vulnerabilities before they have been properly assessed by the device manufacturer and/or the agency has the potential to provide misinformation to the public or may put patients at a greater risk by providing information that could lead to the exploitation of the vulnerability by individuals seeking to do harm before it can be fixed," the FDA states.
The way in which cybersecurity vulnerabilities within St. Jude Medical's devices were publicly disclosed by Muddy Waters and MedSec "highlights why the FDA has been consistently encouraging the importance of having an established process for coordinated vulnerability disclosure among manufacturers, patients, healthcare providers and other stakeholders that puts patient safety at the forefront," the FDA says in its statement. "These policies provide guidelines for how manufacturers should disclose potential vulnerabilities in their devices, including how to receive information about potential vulnerabilities and how to disseminate information to users about remediation of the vulnerability."
Denis Foo Kune, co-founder of healthcare cybersecurity company Virta Lab, notes: "Safety analysis that meets FDA rigor is hard to get right. That's why we recommend that even the best security experts first consult with FDA before speculating on safety claims."
The Aug. 25, 2016, report by Muddy Waters and MedSec prompted St. Jude Medical last year to file a lawsuit in federal court against the companies alleging defamation by implication, deceptive trade practices, violations of certain federal and Minnesota state statutes and civil conspiracy.
Muddy Waters CEO Carson Block, in a statement provided to ISMG, says: "After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters. This long-overdue acknowledgement, just days after completion of St. Jude's sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants."
St. Jude Medical did not immediately respond to an ISMG request for comment.
FDA Describes Device Vulnerabilities
In the FDA's alert, the agency notes: "Many medical devices - including St. Jude Medical's implantable cardiac devices - contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits."
As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates, the agency says.
"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, for example, someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home transmitter. The altered Merlin@home transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."
The FDA stresses that there have been no reports of patient harm related to these cybersecurity vulnerabilities.
St. Jude Medical has developed and validated a software patch for the Merlin@home transmitter that addresses and reduces the risk of specific cybersecurity vulnerabilities.
The patch, which was available beginning Jan. 9, will be applied automatically to the transmitter. Patients and patient caregivers only need to make sure their transmitter remains plugged in and connected to the Merlin.net network to receive the patch, the FDA says.
St. Jude Medical says the company is "not aware of any cybersecurity incidents related to a St. Jude Medical device, nor is it aware that any specific St. Jude Medical device or system in clinical use has been purposely targeted. In recognition of the changing cybersecurity landscape and the increased public attention on highly unlikely medical device cyber risks, we are informing the public about these ongoing actions so that patients can continue to be confident about the benefits of remote monitoring."
How the Devices Work
The FDA notes that St. Jude Medical implantable cardiac devices, including pacemakers, defibrillators and resynchronization devices, provide pacing for slow heart rhythms and electrical shock or pacing to stop dangerously fast heart rhythms. "These cardiac devices are implanted under the skin in the upper chest area with connecting insulated wires called 'leads' that go into the heart."
The St. Jude Medical Merlin@home transmitter uses a home monitor that transmits and receives RF signals used to wirelessly connect to the patient's implanted cardiac device and read the data stored on the device, FDA notes. The transmitter, located in the patient's home, sends the patient's data to a physician via the Merlin.net Patient Care Network using a continuous landline, cellular or wireless internet connection, the FDA notes.
The FDA issued these recommendations to healthcare providers and patients using the Merlin products:
- Healthcare providers should continue to conduct in-office follow-up, per normal routine, with patients who have an implantable cardiac device that is monitored using the Merlin@home transmitter;
- Healthcare providers should remind patients to keep their Merlin@home transmitter connected as this will ensure that patients' devices receive the necessary patches and updates;
- Patients should keep their monitors connected as directed to ensure monitor receives necessary updates and patches;
- Patients should keep in mind that although all connected medical devices, including the Merlin products, carry certain risks, the FDA has determined that the benefits to patients from continued use of the devices outweigh the risks.
The FDA alert about St. Jude's cardiac products is the third cyber-related warning from the agency about medical devices.
In 2015, the FDA issued a warning related to two infusion pump systems manufactured by Hospira. And in 2013, the FDA issued a more general safety communication regarding malware on hospital networks and the presence of hard-coded passwords in many different types of medical devices.