St. Jude Medical said recent claims of the cyber attack vulnerability of its Merlin@home remote monitoring system and its implantable EP devices are not true.
August 29, 2016 — Investment research firm Muddy Waters Capital released a report Aug. 25 saying it believes St. Jude Medical (SJM) will lose up to half of its revenue due to what it calls issues with its electrophysiology (EP) devices, including pacemakers, implantable cardioverter defibrillators (IDCs) and cardiac resynchonization therapy (CRT) devices. The research firm said these SJM devices, making up nearly 46 percent of SJM’s revenue, pose a public health risk and might be recalled or need remediation, including the cybersecurity vulnerability of the device technology. SJM responded Aug. 29, calling the report false and misleading.
(Updated information on this story -- In April 2017, the FDA issued a warning letter to Abbott / St. Jude Medical related to the company’s mismanagement of a recall the EP devices included in this story, and not fully addressing the cyberseciurity issues outlined in the Muddy Waters report. Read the article “FDA Harshly Criticizes Abbott, St. Jude For Failure to Address EP Device Safety.”)
“SJM’s pacemakers, ICDs and CRTs might – and in our view, should – be recalled and remediated,” the Muddy Waters report stated. “Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients. We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices.”
The firm reported a “crash” attack that causes cardiac devices to malfunction – including by apparently pacing at a potentially dangerous rate. It claimed a second reported incident was a battery drain attack that could be particularly harmful to device-dependent users. The report claims SJM cardiac devices can be attacked within a roughly 50 foot radius. It also theorizes that attacks can be executed on a large scale against patients using the thousands of remote Merlin home monitoring devices STJ has distributed.
“We have examined the allegations made by Capital and MedSec on Aug. 25, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading,” SJM said in its Aug. 29 statement. “Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”
SJM said remote monitoring is a safe and effective means for patients to communicate with their physician and has been well documented in leading publications that remote monitoring saves lives. Similar remote monitoring technologies also are offered by SJM’s competitors Biotronik, Boston Scientific, Medtronic and the Sorin Group. The company said it works with third-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for its data and devices as part of its product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for products. SJM also said it conducts regular risk assessments based on U.S. Food and Drug Administration (FDA) guidance and perform penetration tests using internal and external experts.
“Our system provides an automated remote upgrade process for all Merlin@home units that are in active use so that security enhancements are automatically deployed when they become available,” SJM said. “Merlin@home units that are not in active use and connected to the internet will also be upgraded when they return to use if a new update is available. Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes.”
Claims of Remote Battery Depletion are Misleading
The Muddy Waters report claimed that the battery could be depleted at a 50-foot range. SJM said this is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. “This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report,” SJM said. The company said the report described a scenario where it would require hundreds of hours of continuous and sustained “pings” within this distance, meaning a patient would need to remain immobile for days on end and the hacker would need to be within 7 feet of the patient, SJM said. In the unlikely instance that was to occur, SJM said its implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.
Safeguards in Place to Mitigate Crash Attacks
SJM said its devices are designed to go into a life-sustaining “safe” mode, as a safeguard, if unexpected conditions are detected. These safeguards will put the device into safe mode where the preprogrammed pacing and defibrillation functions of the implantable medical devices revert to safe settings. In addition, some SJM devices are designed to disable further RF communications for a period of time, which may appear to the untrained eye as having rendered the device disabled, although it continues to function.
SJM explained its devices also have built-in measures to reduce the risk of unauthorized commands being issued to our implantable devices. In addition, the company has an ongoing focus to continually strengthen its security systems in the ever changing cybersecurity environment. For example:
• Access controls help protect the Merlin@home™ operating system from unauthorized access
• The lack of built-in programming commands in Merlin@home help ensure that therapy is provided through the implanted device only at the direction of the physician
• Proprietary implantable medical device protocols protect communications with the implantable device
• Encryption of session authentication between the implantable medical device and Merlin@home further enhances device security
• The limited Medical Implant Communication Services (MICS) wireless range restricts accessibility of communications with the implantable device
Flawed Test Methodology on Updated Software
The report claimed that the system could be impaired, similar to when a computer system “crashes.” SJM points out the report has little detail on this simulation and includes many inconsistencies. The company said a screenshot in the report of the Merlin programmer shows a device that is functioning normally. The red items on the screen are highlighting the fact that there are no leads connected to the device. The device is pacing properly, at the programmed 40 bpm. The screenshot shows expected behavior from the SecureSense algorithm when device is pacing without any connected leads, SJM said.
SJM Says it is Vigilant
SJM reiterated its software has been evaluated by several independent organizations and researchers, including Deloitte and Optiv. In addition, Merlin.net was Safe Harbor certified by St. Jude Internal Audit in 2013 and annually since then. This includes an annual audit of key security controls within the Merlin.net environment and Merlin.net has received ISO 27001 certification since 2009. The company said this includes an internal audit of security controls and an independent certification by a third party, BSI. In 2015, it successfully completed an upgrade to the ISO 27001:2013 certification.
“Muddy Waters also makes numerous unsubstantiated statements that are speculative with no evidence shown to prove the claims such as an ability to impersonate any SJM device, reverse engineering to create a pocket-size programmer, and a large-scale attack through the Merlin network,” SJM stated. “However, we are not aware of such threats and will remain vigilant to the ever-increasing sophistication of those seeking access to devices/data and address any issues based on additional detail provided.”
The vendor said the report is unnecessarily alarming patients.
The Muddy Waters report can be found at www.muddywatersresearch.com/research/stj/mw-is-short-stj/
For more information: sjm.com
Related Healthcare Cybersecurity Content: