Feature | EP Lab | January 09, 2017| Dave Fornell

FDA Confirms Cybersecurity Vulnerabilities of St. Jude’s Implantable Cardiac Devices, Merlin Transmitter

The FDA confirmed the cybersecurity vulnerabilities of St. Jude ICDs, pacemakes, implantable cardioverter defibrillators, CRT and other EP devices with wireless connections.

January 9, 2017 — The U.S. Food and Drug Administration (FDA) issued a safety communication today concerning patient safety issues due to cybersecurity vulnerabilities found in St. Jude Medical's radio frequency (RF)-enabled implantable cardiac devices and [email protected] Transmitter. The FDA said it has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's [email protected] Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user to remotely access a patient's RF-enabled implanted cardiac device by altering the [email protected] Transmitter. The altered [email protected] Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.

The FDA said there have been no reports of patient harm related to these cybersecurity vulnerabilities. St. Jude Medical said it is not aware of any cyber security incidents related to a St. Jude Medical device, nor is it aware that any specific St. Jude Medical device or system in clinical use has been purposely targeted. 

St. Jude Medical said it is now deploying the latest release of cyber security updates for its Merlin remote monitoring system that is used with implantable pacemakers and defibrillator devices. The improvements include security updates that complement the company’s existing measures and further reduce the extremely low cyber security risks. The company developed and validated a software patch for the [email protected] Transmitter that addresses and reduces the risk of specific cybersecurity vulnerabilities. The patch, which will be available beginning Jan. 9, 2017, will be applied automatically to the [email protected] Transmitter. Patients and patient caregivers only need to make sure their [email protected] Transmitter remains plugged in and connected to the Merlin.net network to receive the patch. The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm. The FDA conducted an assessment of the benefits and risks of using the [email protected] Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.

“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cybersecurity expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board. “Today’s announcement is another demonstration that St. Jude Medical takes cybersecurity seriously and is continuously reassessing and updating its devices and systems, as appropriate.”

“We’ve partnered with agencies such as the U.S. Food and Drug Administration and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.

The FDA said will continue to assess new information concerning the cybersecurity of St. Jude Medical's implantable cardiac devices and the [email protected] Transmitter, and will keep the public informed if the FDA's recommendations change. The FDA reminds patients, patient caregivers and healthcare providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.The FDA will continue its work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting and remediation of medical device cybersecurity vulnerabilities.

The issue of St. Jude electrophysiology device cyber vulnerabilities was raised in 2016 by a medical device market research firm that published a report alleging these vulnerabilities existed specifically in St. Jude Medical's implantable electrophysiology (EP) devices. Read the article "Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity." St. Jude filed a lawsuit against the firm and said in statements the concerns the report raised were not valid or accurate. However, the FDA safety communication seems to contradict the company's defensive reaction and lend some validity to the market report.

“As medical technology advances, it’s increasingly important to understand how innovation and cybersecurity impact physicians and the patients we treat,” said Leslie Saxon, M.D., chair of St. Jude Medical’s Cyber Security Medical Advisory Board. “We are committed to working to proactively address cybersecurity risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function.”

St. Jude Medical was acquired by Abbott as of Jan. 4, 2017.

 

FDA Wants to Expand Review of Cybersecurity Issues With Medical Devices
The FDA warns that cybersecurity breaches are not limited to St. Jude devices. There are several other wireless systems that interface with implantable EP devices from Medtronic, Boston Scientific and Biotronik. The FDA said as wearable and implantable patient monitoring or therapy devices become more sophisticated with advanced wireless connectivity to extract patient information and change the device functionality, there are growing concerns these technologies will be be targets of hackers. The U.S. Food and Drug Administration (FDA) believes this poses a threat to patient safety. The agency announced in December the availability of the guidance document entitled "Postmarket Management of Cybersecurity in Medical Devices."

The FDA issued this guidance to inform industry and FDA staff of the agency's recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The guidance clarifies FDA's postmarket recommendations with regards to addressing cybersecurity vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the postmarket management of their medical devices.

Read the article “FDA Seeks Management of Cybersecurity in Medical Devices.”
 

Recommendations for HealthCare Providers
Continue to conduct in-office follow-up, per normal routine, with patients who have an implantable cardiac device that is monitored using the [email protected] Transmitter.

Remind patients to keep their [email protected] Transmitter connected as this will ensure that patients' devices receive the necessary patches and updates.

Contact St. Jude Medical's [email protected] customer service at 1-877-My-Merlin, or visit www.sjm.com/Merlindisclaimer icon for answers to questions and additional information regarding St. Jude Medical's implantable cardiac devices, or the [email protected] Transmitter.

Recommendations for Patients and Caregivers
The FDA says to follow the labeling instructions provided with the [email protected] Transmitter. Patients should peeping monitor connected as directed so the monitor receives necessary updates and patches. Keep in mind that although all connected medical devices, including this one, carry certain risks, the FDA has determined that the benefits to patients from continued use of the device outweigh any risks.

Patients should consult with their physician(s) for routine care and follow-up. Your ongoing medical management should be individualized based on your medical history and clinical condition.

Patients should seek immediate medical attention if symptoms of lightheadedness, dizziness, loss of consciousness, chest pain, or severe shortness of breath occur.

Healthcare professionals and patients are encouraged to report adverse events or side effects related to the use of these products to the FDA's MedWatch Safety Information and Adverse Event Reporting Program at www.fda.gov/MedWatch/report

For more information: www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm535979.htm

 

Related Healthcare Cybersecurity Content:

Raising the Bar for Medical Device Cyber Security

FDA Seeks Management of Cybersecurity in Medical Devices

Healthcare Industry Lacking in Basic Cybersecurity Awareness Among Staff

Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity

FDA Harshly Criticizes Abbott, St. Jude For Failure to Address EP Device Safety

Healthcare 2015 Data Breaches - Why the Cloud Is Not Responsible

HIMSS: Two-Thirds of Healthcare Organizations Experienced a Recent, Significant Security Incident

How You Should – and Should Not – Be Sharing Medical Information With Patients

How Can Doctors Practice Better Security?

U.S. Department of Health and Human Services, Office for Civil Rights, Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information

Related Content

Healthcare cybersecurity concerns have increased dramatically as EMRs and medical devices become more digitally connected.

Healthcare cybersecurity concerns have increased dramatically as EMRs and medical devices become more digitally connected.

Feature | Cybersecurity| August 18, 2017 | Dave Fornell
August 17, 2017 — Cybersecurity has become a growing concern in healthcare as patient data, medical systems and impla
Houston Methodist Hospital Enters Multi-Year Technology and Research Agreement With Siemens Healthineers
News | Cardiac Imaging| August 17, 2017
Houston Methodist Hospital and Siemens Healthineers have entered into a multi-year agreement to bring cutting-edge...
ScImage Awarded U.S. Government DIN-PACS IV Contract
News | PACS| August 16, 2017
ScImage Inc. was recently awarded a new DIN-PACS IV (Digital Imaging Network/Picture Archiving and Communications...
The FDA is concerned about cybersecurity of ICDs and cyber security of other medical devices.
Feature | Cybersecurity| August 16, 2017 | Dave Fornell
There is growing concern among patients and regulators that medical devices, especially implantable electrophysiology
Xavier University Announces Healthcare Artificial Intelligence Summit
News | Artificial Intelligence| August 07, 2017
Xavier University has launched the Xavier Center for Artificial Intelligence (AI), a pioneering effort to accelerate...
Three New Atrial Fibrillation Studies to Feature HeartLight Endoscopic Ablation System
News | Ablation Systems| August 07, 2017
CardioFocus Inc. announced that its HeartLight Endoscopic Ablation System is being featured in three new major clinical...
Merge Hemo cath lab hemodynamics monitoring system.

Hemodynamic data shown on screens from the Merge Hemo recording system. It is among the newer generation hemodynamic systems for cath labs that are more user friendly and have technologies to speed workflow.

Feature | Hemodynamic Monitoring Systems| August 03, 2017 | Dave Fornell
The current generation of...
Left Atrial Pressure Monitor from Vectorious Medical Technologies Offers New Hope for Heart Failure Patients

On of the top stories in July was the introduction of a left atrial pressure monitor from Vectorious Medical Technologies to prevent heart failure patient hospitalizations or readmissions. Read the article"Left Atrial Pressure Monitor Offers New Hope for Heart Failure Patients."

Feature | August 01, 2017 | Dave Fornell
Aug.
Overlay Init