January 9, 2017 — The U.S. Food and Drug Administration (FDA) issued a safety communication today concerning patient safety issues due to cybersecurity vulnerabilities found in St. Jude Medical's radio frequency (RF)-enabled implantable cardiac devices and Merlin@home Transmitter. The FDA said it has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.
The FDA said there have been no reports of patient harm related to these cybersecurity vulnerabilities. St. Jude Medical said it is not aware of any cyber security incidents related to a St. Jude Medical device, nor is it aware that any specific St. Jude Medical device or system in clinical use has been purposely targeted.
St. Jude Medical said it is now deploying the latest release of cyber security updates for its Merlin remote monitoring system that is used with implantable pacemakers and defibrillator devices. The improvements include security updates that complement the company’s existing measures and further reduce the extremely low cyber security risks. The company developed and validated a software patch for the Merlin@home Transmitter that addresses and reduces the risk of specific cybersecurity vulnerabilities. The patch, which will be available beginning Jan. 9, 2017, will be applied automatically to the Merlin@home Transmitter. Patients and patient caregivers only need to make sure their Merlin@home Transmitter remains plugged in and connected to the Merlin.net network to receive the patch. The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm. The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.
“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cybersecurity expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board. “Today’s announcement is another demonstration that St. Jude Medical takes cybersecurity seriously and is continuously reassessing and updating its devices and systems, as appropriate.”
“We’ve partnered with agencies such as the U.S. Food and Drug Administration and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.
The FDA said will continue to assess new information concerning the cybersecurity of St. Jude Medical's implantable cardiac devices and the Merlin@home Transmitter, and will keep the public informed if the FDA's recommendations change. The FDA reminds patients, patient caregivers and healthcare providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.The FDA will continue its work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting and remediation of medical device cybersecurity vulnerabilities.
The issue of St. Jude electrophysiology device cyber vulnerabilities was raised in 2016 by a medical device market research firm that published a report alleging these vulnerabilities existed specifically in St. Jude Medical's implantable electrophysiology (EP) devices. Read the article "Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity." St. Jude filed a lawsuit against the firm and said in statements the concerns the report raised were not valid or accurate. However, the FDA safety communication seems to contradict the company's defensive reaction and lend some validity to the market report.
“As medical technology advances, it’s increasingly important to understand how innovation and cybersecurity impact physicians and the patients we treat,” said Leslie Saxon, M.D., chair of St. Jude Medical’s Cyber Security Medical Advisory Board. “We are committed to working to proactively address cybersecurity risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function.”
St. Jude Medical was acquired by Abbott as of Jan. 4, 2017.
FDA Wants to Expand Review of Cybersecurity Issues With Medical Devices
The FDA warns that cybersecurity breaches are not limited to St. Jude devices. There are several other wireless systems that interface with implantable EP devices from Medtronic, Boston Scientific and Biotronik. The FDA said as wearable and implantable patient monitoring or therapy devices become more sophisticated with advanced wireless connectivity to extract patient information and change the device functionality, there are growing concerns these technologies will be be targets of hackers. The U.S. Food and Drug Administration (FDA) believes this poses a threat to patient safety. The agency announced in December the availability of the guidance document entitled "Postmarket Management of Cybersecurity in Medical Devices."
The FDA issued this guidance to inform industry and FDA staff of the agency's recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The guidance clarifies FDA's postmarket recommendations with regards to addressing cybersecurity vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the postmarket management of their medical devices.
Read the article “FDA Seeks Management of Cybersecurity in Medical Devices.”
Recommendations for HealthCare Providers
Continue to conduct in-office follow-up, per normal routine, with patients who have an implantable cardiac device that is monitored using the Merlin@home Transmitter.
Remind patients to keep their Merlin@home Transmitter connected as this will ensure that patients' devices receive the necessary patches and updates.
Contact St. Jude Medical's Merlin@home customer service at 1-877-My-Merlin, or visit www.sjm.com/Merlindisclaimer icon for answers to questions and additional information regarding St. Jude Medical's implantable cardiac devices, or the Merlin@home Transmitter.
Recommendations for Patients and Caregivers
The FDA says to follow the labeling instructions provided with the Merlin@home Transmitter. Patients should peeping monitor connected as directed so the monitor receives necessary updates and patches. Keep in mind that although all connected medical devices, including this one, carry certain risks, the FDA has determined that the benefits to patients from continued use of the device outweigh any risks.
Patients should consult with their physician(s) for routine care and follow-up. Your ongoing medical management should be individualized based on your medical history and clinical condition.
Patients should seek immediate medical attention if symptoms of lightheadedness, dizziness, loss of consciousness, chest pain, or severe shortness of breath occur.
Healthcare professionals and patients are encouraged to report adverse events or side effects related to the use of these products to the FDA's MedWatch Safety Information and Adverse Event Reporting Program at www.fda.gov/MedWatch/report
For more information: www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm535979.htm
Related Healthcare Cybersecurity Content:
Raising the Bar for Medical Device Cyber Security
FDA Seeks Management of Cybersecurity in Medical Devices
Healthcare Industry Lacking in Basic Cybersecurity Awareness Among Staff
Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity
FDA Harshly Criticizes Abbott, St. Jude For Failure to Address EP Device Safety
Healthcare 2015 Data Breaches - Why the Cloud Is Not Responsible
HIMSS: Two-Thirds of Healthcare Organizations Experienced a Recent, Significant Security Incident
How You Should – and Should Not – Be Sharing Medical Information With Patients
May 22, 2023 
