Feature | EP Lab | August 29, 2016| Dave Fornell

Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity

SJM refutes Muddy Waters device security defect allegations and reinforces its commitment to patient safety

Cybersecurity concerns were raised over the St. Jude Medical (SJM) Merlin@home EP device home monitoring system

St. Jude Medical said recent claims of the cyber attack vulnerability of its [email protected] remote monitoring system and its implantable EP devices are not true.

August 29, 2016 — Investment research firm Muddy Waters Capital released a report Aug. 25 saying it believes St. Jude Medical (SJM) will lose up to half of its revenue due to what it calls issues with its electrophysiology (EP) devices, including pacemakers, implantable cardioverter defibrillators (IDCs) and cardiac resynchonization therapy (CRT) devices. The research firm said these SJM devices, making up nearly 46 percent of SJM’s revenue, pose a public health risk and might be recalled or need remediation, including the cybersecurity vulnerability of the device technology. SJM responded Aug. 29, calling the report false and misleading. 

(Updated information on this story -- In April 2017, the FDA issued a warning letter to Abbott / St. Jude Medical related to the company’s mismanagement of a recall the EP devices included in this story, and not fully addressing the cyberseciurity issues outlined in the Muddy Waters report. Read the article “FDA Harshly Criticizes Abbott, St. Jude For Failure to Address EP Device Safety.”)

“SJM’s pacemakers, ICDs and CRTs might – and in our view, should – be recalled and remediated,” the Muddy Waters report stated. “Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients. We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices.”

The firm reported a “crash” attack that causes cardiac devices to malfunction – including by apparently pacing at a potentially dangerous rate. It claimed a second reported incident was a battery drain attack that could be particularly harmful to device-dependent users. The report claims SJM cardiac devices can be attacked within a roughly 50 foot radius. It also theorizes that attacks can be executed on a large scale against patients using the thousands of remote Merlin home monitoring devices STJ has distributed. 

Read SJM’s response to the report in the article “St. Jude Brings Legal Action Against Market Research Firm for Report Bashing its EP Device Cybersecurity.”

“We have examined the allegations made by Capital and MedSec on Aug. 25, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading,” SJM said in its Aug. 29 statement. “Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”

SJM said remote monitoring is a safe and effective means for patients to communicate with their physician and has been well documented in leading publications that remote monitoring saves lives. Similar remote monitoring technologies also are offered by SJM’s competitors Biotronik, Boston Scientific, Medtronic and the Sorin Group. The company said it works with third-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for its data and devices as part of its product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for products. SJM also said it conducts regular risk assessments based on U.S. Food and Drug Administration (FDA) guidance and perform penetration tests using internal and external experts. 

“Our system provides an automated remote upgrade process for all [email protected] units that are in active use so that security enhancements are automatically deployed when they become available,” SJM said. “[email protected] units that are not in active use and connected to the internet will also be upgraded when they return to use if a new update is available. Our analysis concluded that the majority of the observations in the report apply to older versions of the [email protected] devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes.”

 

Claims of Remote Battery Depletion are Misleading

The Muddy Waters report claimed that the battery could be depleted at a 50-foot range. SJM said this is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. “This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report,” SJM said. The company said the report described a scenario where it would require hundreds of hours of continuous and sustained “pings” within this distance, meaning a patient would need to remain immobile for days on end and the hacker would need to be within 7 feet of the patient, SJM said. In the unlikely instance that was to occur, SJM said its implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.

 

Safeguards in Place to Mitigate Crash Attacks

SJM said its devices are designed to go into a life-sustaining “safe” mode, as a safeguard, if unexpected conditions are detected. These safeguards will put the device into safe mode where the preprogrammed pacing and defibrillation functions of the implantable medical devices revert to safe settings. In addition, some SJM devices are designed to disable further RF communications for a period of time, which may appear to the untrained eye as having rendered the device disabled, although it continues to function.

SJM explained its devices also have built-in measures to reduce the risk of unauthorized commands being issued to our implantable devices. In addition, the company has an ongoing focus to continually strengthen its security systems in the ever changing cybersecurity environment. For example:

• Access controls help protect the [email protected]™ operating system from unauthorized access
• The lack of built-in programming commands in [email protected] help ensure that therapy is provided through the implanted device only at the direction of the physician
• Proprietary implantable medical device protocols protect communications with the implantable device
• Encryption of session authentication between the implantable medical device and [email protected] further enhances device security
• The limited Medical Implant Communication Services (MICS) wireless range restricts accessibility of communications with the implantable device

 

Flawed Test Methodology on Updated Software

The report claimed that the system could be impaired, similar to when a computer system “crashes.” SJM points out the report has little detail on this simulation and includes many inconsistencies. The company said a screenshot in the report of the Merlin programmer shows a device that is functioning normally. The red items on the screen are highlighting the fact that there are no leads connected to the device. The device is pacing properly, at the programmed 40 bpm. The screenshot shows expected behavior from the SecureSense algorithm when device is pacing without any connected leads, SJM said.

 

SJM Says it is Vigilant

SJM reiterated its software has been evaluated by several independent organizations and researchers, including Deloitte and Optiv. In addition, Merlin.net was Safe Harbor certified by St. Jude Internal Audit in 2013 and annually since then. This includes an annual audit of key security controls within the Merlin.net environment and Merlin.net has received ISO 27001 certification since 2009. The company said this includes an internal audit of security controls and an independent certification by a third party, BSI. In 2015, it successfully completed an upgrade to the ISO 27001:2013 certification.

“Muddy Waters also makes numerous unsubstantiated statements that are speculative with no evidence shown to prove the claims such as an ability to impersonate any SJM device, reverse engineering to create a pocket-size programmer, and a large-scale attack through the Merlin network,” SJM stated. “However, we are not aware of such threats and will remain vigilant to the ever-increasing sophistication of those seeking access to devices/data and address any issues based on additional detail provided.”

The vendor said the report is unnecessarily alarming patients.

The Muddy Waters report can be found at www.muddywatersresearch.com/research/stj/mw-is-short-stj/

For more information: sjm.com

 

Related Content

New Siemens Healthineers Dashboard Application Provides Insights into Cardiology Operations
Technology | Analytics Software| December 11, 2017
Siemens Healthineers has launched teamplay Cardio, a new cardiology dashboard application within the Siemens...
Stereotaxis Receives Regulatory Approval of e-Contact Module in Canada
Technology | Ablation Systems| December 08, 2017
December 7, 2017 — Stereotaxis Inc.
New data on the Corvia intra-atrial shunt to treat diastolic heart failure were presented at the recent 2017 American Heart Association (AHA) Scientific Sessions. It was the most popular story in November.

New data on the Corvia intra-atrial shunt to treat diastolic heart failure were presented at the recent 2017 American Heart Association (AHA) Scientific Sessions. It was the most popular story in November.

Feature | December 06, 2017 | Dave Fornell
Here is the list of the most popular articles and videos on the Diagnostic and Interventional Cardiology (DAIC) magaz
Fujifilm Introduces Artificial Intelligence Initiative for U.S. Market at RSNA 2017
News | Artificial Intelligence| December 04, 2017
Fujifilm Medical Systems U.S.A. Inc. announced the expansion of the company's artificial intelligence (AI) development...
Vital Unveils Newest Vitrea Advanced Visualization Release at RSNA 2017
Technology | Advanced Visualization| December 04, 2017
December 4, 2017 — Vital Images unveiled the newest version of Vitrea...
Research team (left to right) Abdul Wase M.D. (principal ivestigator), Marina Brown R.N., Ken Shneider, Thein Aung M.D., Matt Clark, Dawn Hunt and Kimberle Evans R.N., with a Tesla car at Good Samaritan Hospital Dayton, Ohio.  Image courtesy of Joe Carfora.

Research team (left to right) Abdul Wase M.D. (principal ivestigator), Marina Brown R.N., Ken Shneider, Thein Aung M.D., Matt Clark, Dawn Hunt and Kimberle Evans R.N., with a Tesla car at Good Samaritan Hospital Dayton, Ohio. 
Image courtesy of Joe Carfora.

News | November 25, 2017
November 25, 2017 — Sitting in, or standing close to the charging port of a Tesla electric vehicle did not trigger a
News | Cardiac PACS| November 22, 2017
Lumedx Corp. will present the latest in cardiovascular (CV) imaging, data management and next-generation analytics...
News | Antiplatelet and Anticoagulation Therapies| November 16, 2017
Bristol-Myers Squibb Company and Pfizer Inc. released real-world data (RWD) of outcomes associated with direct oral...
Videos | Left Atrial Appendage (LAA) Occluders| November 14, 2017
Vivek Reddy, M.D., director of cardiac arrhythmia services and professor of medicine, cardiology, Mount Sinai Hospita
Mexican Doctors Safely Reuse Donated Pacemakers After Sterilization
News | Pacemakers| November 10, 2017
Mexican doctors have safely reused donated pacemakers after sterilization, shows a study presented at the 30th Mexican...
Overlay Init