News Feature | January 11, 2017

St. Jude Issues Cybersecurity Update For Merlin Monitoring System

By Jof Enriquez,
Follow me on Twitter @jofenriq

data security

St. Jude Medical has released a software patch to address cybersecurity vulnerabilities confirmed by the U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) affecting St. Jude's implantable cardiac devices and corresponding Merlin@home Transmitters.

The company said that the software update includes additional validation and verification between the Merlin@home device and Merlin.net, and complements "existing measures" to strengthen cybersecurity. The Merlin@home device transmits and receives radio frequency (RF) signals from St. Jude's cardiac implants to the Merlin.net network via landline, cellular, or wireless connections. The system allows remote monitoring of patient and device data by healthcare providers.

“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cybersecurity expert Ann Barron DiCamillo, former director of U.S. CERT and adviser to St. Jude Medical’s Cyber Security Medical Advisory Board, in a news release. “Today’s announcement is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate.”

St. Jude says patient safety is a priority for the company, and it will continue to work with FDA, DHS, and security researchers in implementing medical device cybersecurity updates, including additional ones planned for later this year. St. Jude adds that it already has made seven software updates in three years to the Merlin@home transmitter alone.

Formally acquired by Abbott this week, St. Jude says there have not been any cybersecurity incidents or attempts targeting any of its devices, whose vulnerabilities to cyberattacks were first alleged in August by investment firm Muddy Waters and information security company MedSec. Those allegations triggered a probe by government authorities, which have now confirmed the security risks and approved St. Jude's software patch to address them.

FDA confirmed via a safety communication that potential vulnerabilities "if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."

Also, FDA corroborates St. Jude's claims that "there have been no reports of patient harm related to these cybersecurity vulnerabilities."

An advisory from DHS states, "The identities of the endpoints for the communication channel between the Merlin@home transmitter and St. Jude Medical’s web site, Merlin.net, are not verified. This may allow a remote attacker to access or influence communications between the identified endpoints."

DHS adds that "An attacker with high skill would be able to exploit this vulnerability," although it clarifies that, so far, "No known public exploits specifically target this vulnerability".

Muddy Waters founder Carson Block said he felt the release of the software patch "effectively vindicates" the research produced by his firm and MedSec, reports Reuters. Both companies were slapped with a defamation lawsuit in September by St. Jude, who accused the two companies of orchestrating a "willful and malicious scheme to manipulate the securities markets for their own financial windfall."

MedSec CEO Justine Bone said in a blog post that they welcome St. Jude's effort in addressing the high-rated vulnerability as attested by DHS, but there remains a "multitude of severe vulnerabilities that remain unaddressed."

FDA says in the safety alert that, based on a review of St. Jude software patch and its assessment of the benefits and risks of using the Merlin@home Transmitter, it has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.

The agency is sharpening its focus on cybersecurity, as evolving threats against devices and patients are expected to emerge in the years to come. It finalized cybersecurity guidance on post-market medical devices last week.