St. Jude Medical to Release Update Fixing Hacking Vulnerability

This week St. Jude Medical said it has starting deploying updates to its system of Patients Care Network. The security updates followed reports that during the latter part of 2016 the Merlin@home transmitter that is used to monitor specific implanted devices of St. Jude Medical could be hacked and used potentially to kill the patient.

The implants involved span pacemakers – Endurity and Assurity – and Implantable Defibrillators – Fortify Assura and Ellipse.

Reports of vulnerability prompted the U.S. Food and Drug Administration to investigate and a warning about potential hazards until this problem can be resolved by the company.

However, while these implants are enabled by radio frequency, they do not connect to the internet directly through Wi-Fi.

Rather, they are able to be accessed via the Merlin@home monitor as well as medical diagnostic equipment. The problem underlying all this is that the device does connect to internet.

The FDA, from its investigation, confirmed that hackers could remotely access Merlin @home transmitters and could alter the device and eventually gain full control.

When that is accomplished, the hacker could use that transmitter to reprogram the implant of the patient, leading to a quicker battery depletion, wrong pacing or shocks that are unnecessary, depending upon the different implants.

Earlier this week, the FDA released a statement that said a number of medical devices, including the implantable cardiac devices of St. Jude Medical contain embedded computer systems that are configurable and can be vulnerable to cybersecurity exploits and intrusions.

St. Jude Medical announced that it is not aware of any incidents related to cybersecurity and its devices anywhere in the U.S. It is also not aware of any device or any system of St. Jude Medical’s used in clinics that were targeted specifically.

While the hackers going after the device of St. Jude intentionally is very unlikely, the company has announced the current update to the public so patients can be assured that their implants remain safe from outside modifications.

Patients that rely on Merlin@home service must make sure their transmitter is plugged in as well as powered on, as well as being connected to a cellular service or landline so it can receive the latest update.

The update, according to the company includes additional verification and validation features for communicating between the transmitter and the online service.

The transmitter from the Merlin@home system is used for collecting information from the implant of the patient and for sending that data to caregivers through the online network.