FDA confirms St. Jude Medical heart devices can be hacked

FDA confirms St. Jude Medical heart devices can be hacked

FDA announces cybersecurity updates; company continues to lead the way in advancing cybersecurity protections in partnership with FDA and ICS-CERT.

January 11, 2017
Manufacturing Group
Devices/Implants/Equipment Electrical/Electronics Software/IoT/Apps

St. Paul, Minnesota – As part of its commitment to continuous improvement and the security of its electronic devices, officials from St. Jude Medical Inc. announced that it will immediately deploy the latest release of cybersecurity updates for its Merlin remote monitoring system that is used with implantable pacemakers and defibrillator devices. The improvements include security updates that complement the company’s existing measures and further reduce the extremely low cybersecurity risks.

All medical devices using remote monitoring are exposed to the risk of a potential cybersecurity attack. St. Jude Medical is not aware of any cybersecurity incidents related to a St. Jude Medical device, nor is it aware that any specific St. Jude Medical device or system in clinical use has been purposely targeted. In recognition of the changing cybersecurity landscape and the increased public attention on highly unlikely medical device cyber risks, we are informing the public about these ongoing actions so that patients can continue to be confident about the benefits of remote monitoring.

“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cybersecurity expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board. “Today’s announcement is another demonstration that St. Jude Medical takes cybersecurity seriously and is continuously reassessing and updating its devices and systems, as appropriate.”

“We’ve partnered with agencies such as the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.

As technology evolves, St. Jude Medical made seven software updates in three years to the Merlin@home transmitter alone, and it will immediately release its latest software update to Merlin@home, which will begin to be implemented today. The update includes additional validation and verification between the Merlin@home device and Merlin.net. St. Jude Medical has collaborated with the FDA, DHS ICS-CERT and other regulators in implementing this update. The company also plans to implement additional updates in 2017.

As is always recommended, patients should make sure that their Merlin@home unit is plugged in and connected via landline or cellular adapter so they can receive these and any future automatic security updates. Physicians or patients with any questions should call the Merlin hotline at 877.MY.MERLIN (877.696.3754) or visit www.sjm.com/Merlin for more information.

“As medical technology advances, it’s increasingly important to understand how innovation and cybersecurity impact physicians and the patients we treat,” said Dr. Leslie Saxon, chair of St. Jude Medical’s Cyber Security Medical Advisory Board. “We are committed to working to proactively address cybersecurity risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function.”

“The safety and security of patients is always our primary focus. We’ll continue to work with agencies, security researchers, physicians, and others in the industry in a coordinated way to develop best practices and standards that further enhance the security of devices across the medical industry,” said Ebeling.

As of Jan. 4, 2017, St. Jude Medical is a part of Abbott.

Source: SJM

FDA device cybersecurity design