Feature | EP Lab | August 29, 2016| Dave Fornell

Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity

SJM refutes Muddy Waters device security defect allegations and reinforces its commitment to patient safety

Merlin, Merlin@home, SJM, St. Jude Medical Merlin, cybersecurity

St. Jude Medical said recent claims of the cyber attack vulnerability of its [email protected] remote monitoring system and its implantable EP devices are not true.

August 29, 2016 — Investment research firm Muddy Waters Capital released a report Aug. 25 saying it believes St. Jude Medical (SJM) will lose up to half of its revenue due to what it calls issues with its electrophysiology (EP) devices, including pacemakers, implantable cardioverter defibrillators (IDCs) and cardiac resynchonization therapy (CRT) devices. The research firm said these SJM devices, making up nearly 46 percent of SJM’s revenue, pose a public health risk and might be recalled or need remediation, including the cyber attack vulnerability of the device technology. SJM responded Aug. 29, calling the report false and misleading. 

(Updated information on this story -- In April 2017, the FDA issued a warning letter to Abbott / St. Jude Medical related to the company’s mismanagement of a recall the EP devices included in this story, and not fully addressing the cyberseciurity issues outlined in the Muddy Waters report. Read the article “FDA Harshly Criticizes Abbott, St. Jude For Failure to Address EP Device Safety.”)

“SJM’s pacemakers, ICDs and CRTs might – and in our view, should – be recalled and remediated,” the Muddy Waters report stated. “Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients. We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices.”

The firm reported a “crash” attack that causes cardiac devices to malfunction – including by apparently pacing at a potentially dangerous rate. It claimed a second reported incident was a battery drain attack that could be particularly harmful to device-dependent users. The report claims SJM cardiac devices can be attacked within a roughly 50 foot radius. It also theorizes that attacks can be executed on a large scale against patients using the thousands of remote Merlin home monitoring devices STJ has distributed. 

Read SJM’s response to the report in the article “St. Jude Brings Legal Action Against Market Research Firm for Report Bashing its EP Device Cybersecurity.”

“We have examined the allegations made by Capital and MedSec on Aug. 25, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading,” SJM said in its Aug. 29 statement. “Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”

SJM said remote monitoring is a safe and effective means for patients to communicate with their physician and has been well documented in leading publications that remote monitoring saves lives. Similar remote monitoring technologies also are offered by SJM’s competitors Biotronik, Boston Scientific, Medtronic and the Sorin Group. The company said it works with third-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for its data and devices as part of its product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for products. SJM also said it conducts regular risk assessments based on U.S. Food and Drug Administration (FDA) guidance and perform penetration tests using internal and external experts. 

“Our system provides an automated remote upgrade process for all [email protected] units that are in active use so that security enhancements are automatically deployed when they become available,” SJM said. [email protected] units that are not in active use and connected to the internet will also be upgraded when they return to use if a new update is available. Our analysis concluded that the majority of the observations in the report apply to older versions of the [email protected] devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes.”

 

Claims of Remote Battery Depletion are Misleading

The Muddy Waters report claimed that the battery could be depleted at a 50-foot range. SJM said this is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. “This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report,” SJM said. The company said the report described a scenario where it would require hundreds of hours of continuous and sustained “pings” within this distance, meaning a patient would need to remain immobile for days on end and the hacker would need to be within 7 feet of the patient, SJM said. In the unlikely instance that was to occur, SJM said its implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.

 

Safeguards in Place to Mitigate Crash Attacks

SJM said its devices are designed to go into a life-sustaining “safe” mode, as a safeguard, if unexpected conditions are detected. These safeguards will put the device into safe mode where the preprogrammed pacing and defibrillation functions of the implantable medical devices revert to safe settings. In addition, some SJM devices are designed to disable further RF communications for a period of time, which may appear to the untrained eye as having rendered the device disabled, although it continues to function.

SJM explained its devices also have built-in measures to reduce the risk of unauthorized commands being issued to our implantable devices. In addition, the company has an ongoing focus to continually strengthen its security systems in the ever changing cybersecurity environment. For example:

• Access controls help protect the [email protected] operating system from unauthorized access
• The lack of built-in programming commands in [email protected] help ensure that therapy is provided through the implanted device only at the direction of the physician
• Proprietary implantable medical device protocols protect communications with the implantable device
• Encryption of session authentication between the implantable medical device and [email protected] further enhances device security
• The limited Medical Implant Communication Services (MICS) wireless range restricts accessibility of communications with the implantable device

 

Flawed Test Methodology on Updated Software

The report claimed that the system could be impaired, similar to when a computer system “crashes.” SJM points out the report has little detail on this simulation and includes many inconsistencies. The company said a screenshot in the report of the Merlin programmer shows a device that is functioning normally. The red items on the screen are highlighting the fact that there are no leads connected to the device. The device is pacing properly, at the programmed 40 bpm. The screenshot shows expected behavior from the SecureSense algorithm when device is pacing without any connected leads, SJM said.

 

SJM Says it is Vigilant

SJM reiterated its software has been evaluated by several independent organizations and researchers, including Deloitte and Optiv. In addition, Merlin.net was Safe Harbor certified by St. Jude Internal Audit in 2013 and annually since then. This includes an annual audit of key security controls within the Merlin.net environment and Merlin.net has received ISO 27001 certification since 2009. The company said this includes an internal audit of security controls and an independent certification by a third party, BSI. In 2015, it successfully completed an upgrade to the ISO 27001:2013 certification.

“Muddy Waters also makes numerous unsubstantiated statements that are speculative with no evidence shown to prove the claims such as an ability to impersonate any SJM device, reverse engineering to create a pocket-size programmer, and a large-scale attack through the Merlin network,” SJM stated. “However, we are not aware of such threats and will remain vigilant to the ever-increasing sophistication of those seeking access to devices/data and address any issues based on additional detail provided.”

The vendor said the report is unnecessarily alarming patients.

The Muddy Waters report can be found at www.muddywatersresearch.com/research/stj/mw-is-short-stj/

For more information on SJM: sjm.com

Related Content

Sponsored Content | Videos | Pacemakers| May 23, 2017
Vivek Reddy, M.D., director of cardiac arrhythmia services and professor of medicine, cardiology, Mount Sinai Hospita
Sponsored Content | Videos | Cardiac Resynchronization Therapy Devices (CRT)| May 23, 2017
This video, provided by ERB, demonstrates the function and implantation of the WiSE CRT (Wireless Stimulation Endocar
Sponsored Content | Videos | Atrial Fibrillation| May 17, 2017
Hugh Calkins, M.D., FACC, FAHA, FHRS, director of cardiac arrhythmia services and professor of medicine at Johns Hopk
Biosense Webster multi-electrode RF ablation balloon

Biosense Webster's multi-electrode RF ablation balloon with irrigation. The system allows operators to change the energy levels of each electrode to avoid damaging sensitive underlying critical structures like the esophagus or phrenic nerve.

Feature | Ablation Systems| May 17, 2017 | Dave Fornell
May 17, 2017 – Clinical trial results from a first-in-human study evaluating the acute feasibility of an investigatio
Sponsored Content | Videos | EP Lab| May 17, 2017
This video, provided by Spectranetics, demonstrates how to deploy the Bridge Occlusion Balloon used to seal accidenta
Spectranetics Bridge Occlusion Balloon in the SVC

An illustration of how the Bridge balloon can seal the SVC after an accidental tear from lead extration.

Feature | EP Lab| May 17, 2017 | Dave Fornell
May 17, 2017 — A new intravenous occlusion balloon designed to seal any accidental tears in the superior vena cava (S
micra leadless pacemaker
Feature | Pacemakers| May 16, 2017
May 16, 2017 - The preliminary results for the Medtronic Micra Transcatheter Pacing System (TPS) Post-Approval Regist
Medtronic Reveal Linq implantable cardiac monitor

The Medtronic Reveal Linq implantable cardiac monitor is the smallest implantable monitor on the market. It is used as a long-term Holter monitor for 24-hour a day, 365-day a year patient monitoring. The device uses wireless connectivity to download the patient data with a patient bedside base unit to send the information over the internet so it is accessible by physicians.

Feature | Atrial Fibrillation| May 16, 2017
May 16, 2017 - The study using small, subcutaneous implantable cardiac monitors for long-term, 24-hour a day monitori
NewPace string subcutaneous ICD system

The NewPace string subcutaneous ICD system.

News | May 16, 2017
May 16, 2017 – A new study examines the effectiveness of the implantable subcutaneous string defibrillator (ISSDTM),
Overlay Init