St. Jude Medical releases security patches for vulnerable cardiac devices

It appears that hearts can be hacked, after all.
Written by Charlie Osborne, Contributing Writer
Wikimedia Commons

Reports that St. Jude Medical devices contained severe security flaws which led to a complicated legal battle between the healthcare equipment provider and MedSec have been vindicated, with the FDA supporting the security firm's findings and St. Jude finally releasing a patch to fix the flaws.

On Monday, St. Jude Medical announced a set of cybersecurity updates for the Merlin remote monitoring system which is used with implantable pacemakers and defibrillator devices.

Despite denying that security flaws existed in the past, the medical equipment supplier said the updates would "complement the company's existing measures and further reduce the extremely low cyber security risks."

"All medical devices using remote monitoring are exposed to the risk of a potential cyber security attack," the company admitted.

On the same day, the US Food and Drug Administration (FDA) issued a statement affirming that a variety of St. Jude Medical devices which are radio-frequency (RF)-enabled and use Merlin@home Transmitters are vulnerable to cyberattack.

The transmitters record and receive RF traffic from the embedded medical devices before sending this information to physicians through the Merlin.net Patient Care Network. The US agency has investigated a set of security flaws found within this setup by MedSec and has come to the conclusion that the bugs could allow cyberattackers to remotely access implanted cardiac devices by compromising the transmitter.

Once inside, attackers could modify the programming of these devices, leading to battery depletion, tampering with set heart pacing or shocks. Thankfully, however, there have been no reports of patients being hurt because of these vulnerabilities.

"The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm," the agency said.

"The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks."

The battle for St. Jude Medical to admit there were security holes which needed to be plugged has been a long one. Cybersecurity firm MedSec and private equity firm Muddy Waters released a paper last August which described how St. Jude Medical pacemakers and defibrillators were vulnerable to attack, but the news did not go down well with either St. Jude or investors.

After the research -- which noted successful attacks could result in patient lives being placed at risk -- went public, St. Jude Medical share prices plummeted. In retaliation, the firm rapidly "set the record straight" by denying the report's claims, launching a court case against the companies and citing research from the University of Michigan which replicated the research and could not find security problems with the devices.

(Despite this, independent security firm Bishop Fox provided testimony saying that the devices "did not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients.")

St. Jude Medical's lawsuit against MedSec and Muddy Waters, which is ongoing, complains that the report is little more than scaremongering and the firms used "false and misleading tactics" to force share price drops in a scheme for financial gain.

The short-selling scheme, according to St. Jude Medical, involved Muddy Waters shorting the firm's stock at the time the report was released and estimating that share prices would be affected for "at least" two years. MedSec was hired at the same time as a consultant on a fee basis and cut of investments.

Whether for financial gain or the promotion of patient safety was truly at the heart of the situation, Muddy Waters and MedSec are not best pleased with St. Jude Medical's patch, which is now automatically applied to device transmitters once they are plugged in and turned on.

In a statement, the company said:

"After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters.

This long-overdue acknowledgement, just days after completion of St. Jude's sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.

Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants."

The FDA said that the agency will continue to assess any new information around the St. Jude Medical device security investigation and alter its recommendations if any game-changing information comes to light.

The best smart home, IoT products of CES 2017

Editorial standards