Feature | EP Lab | August 29, 2016| Dave Fornell

Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity

SJM refutes Muddy Waters device security defect allegations and reinforces its commitment to patient safety

Cybersecurity concerns were raised over the St. Jude Medical (SJM) Merlin@home EP device home monitoring system

St. Jude Medical said recent claims of the cyber attack vulnerability of its [email protected] remote monitoring system and its implantable EP devices are not true.

August 29, 2016 — Investment research firm Muddy Waters Capital released a report Aug. 25 saying it believes St. Jude Medical (SJM) will lose up to half of its revenue due to what it calls issues with its electrophysiology (EP) devices, including pacemakers, implantable cardioverter defibrillators (IDCs) and cardiac resynchonization therapy (CRT) devices. The research firm said these SJM devices, making up nearly 46 percent of SJM’s revenue, pose a public health risk and might be recalled or need remediation, including the cybersecurity vulnerability of the device technology. SJM responded Aug. 29, calling the report false and misleading. 

(Updated information on this story -- In April 2017, the FDA issued a warning letter to Abbott / St. Jude Medical related to the company’s mismanagement of a recall the EP devices included in this story, and not fully addressing the cyberseciurity issues outlined in the Muddy Waters report. Read the article “FDA Harshly Criticizes Abbott, St. Jude For Failure to Address EP Device Safety.”)

“SJM’s pacemakers, ICDs and CRTs might – and in our view, should – be recalled and remediated,” the Muddy Waters report stated. “Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients. We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices.”

The firm reported a “crash” attack that causes cardiac devices to malfunction – including by apparently pacing at a potentially dangerous rate. It claimed a second reported incident was a battery drain attack that could be particularly harmful to device-dependent users. The report claims SJM cardiac devices can be attacked within a roughly 50 foot radius. It also theorizes that attacks can be executed on a large scale against patients using the thousands of remote Merlin home monitoring devices STJ has distributed. 

Read SJM’s response to the report in the article “St. Jude Brings Legal Action Against Market Research Firm for Report Bashing its EP Device Cybersecurity.”

“We have examined the allegations made by Capital and MedSec on Aug. 25, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading,” SJM said in its Aug. 29 statement. “Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”

SJM said remote monitoring is a safe and effective means for patients to communicate with their physician and has been well documented in leading publications that remote monitoring saves lives. Similar remote monitoring technologies also are offered by SJM’s competitors Biotronik, Boston Scientific, Medtronic and the Sorin Group. The company said it works with third-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for its data and devices as part of its product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for products. SJM also said it conducts regular risk assessments based on U.S. Food and Drug Administration (FDA) guidance and perform penetration tests using internal and external experts. 

“Our system provides an automated remote upgrade process for all [email protected] units that are in active use so that security enhancements are automatically deployed when they become available,” SJM said. “[email protected] units that are not in active use and connected to the internet will also be upgraded when they return to use if a new update is available. Our analysis concluded that the majority of the observations in the report apply to older versions of the [email protected] devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes.”


Claims of Remote Battery Depletion are Misleading

The Muddy Waters report claimed that the battery could be depleted at a 50-foot range. SJM said this is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. “This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report,” SJM said. The company said the report described a scenario where it would require hundreds of hours of continuous and sustained “pings” within this distance, meaning a patient would need to remain immobile for days on end and the hacker would need to be within 7 feet of the patient, SJM said. In the unlikely instance that was to occur, SJM said its implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.


Safeguards in Place to Mitigate Crash Attacks

SJM said its devices are designed to go into a life-sustaining “safe” mode, as a safeguard, if unexpected conditions are detected. These safeguards will put the device into safe mode where the preprogrammed pacing and defibrillation functions of the implantable medical devices revert to safe settings. In addition, some SJM devices are designed to disable further RF communications for a period of time, which may appear to the untrained eye as having rendered the device disabled, although it continues to function.

SJM explained its devices also have built-in measures to reduce the risk of unauthorized commands being issued to our implantable devices. In addition, the company has an ongoing focus to continually strengthen its security systems in the ever changing cybersecurity environment. For example:

• Access controls help protect the [email protected]™ operating system from unauthorized access
• The lack of built-in programming commands in [email protected] help ensure that therapy is provided through the implanted device only at the direction of the physician
• Proprietary implantable medical device protocols protect communications with the implantable device
• Encryption of session authentication between the implantable medical device and [email protected] further enhances device security
• The limited Medical Implant Communication Services (MICS) wireless range restricts accessibility of communications with the implantable device


Flawed Test Methodology on Updated Software

The report claimed that the system could be impaired, similar to when a computer system “crashes.” SJM points out the report has little detail on this simulation and includes many inconsistencies. The company said a screenshot in the report of the Merlin programmer shows a device that is functioning normally. The red items on the screen are highlighting the fact that there are no leads connected to the device. The device is pacing properly, at the programmed 40 bpm. The screenshot shows expected behavior from the SecureSense algorithm when device is pacing without any connected leads, SJM said.


SJM Says it is Vigilant

SJM reiterated its software has been evaluated by several independent organizations and researchers, including Deloitte and Optiv. In addition, Merlin.net was Safe Harbor certified by St. Jude Internal Audit in 2013 and annually since then. This includes an annual audit of key security controls within the Merlin.net environment and Merlin.net has received ISO 27001 certification since 2009. The company said this includes an internal audit of security controls and an independent certification by a third party, BSI. In 2015, it successfully completed an upgrade to the ISO 27001:2013 certification.

“Muddy Waters also makes numerous unsubstantiated statements that are speculative with no evidence shown to prove the claims such as an ability to impersonate any SJM device, reverse engineering to create a pocket-size programmer, and a large-scale attack through the Merlin network,” SJM stated. “However, we are not aware of such threats and will remain vigilant to the ever-increasing sophistication of those seeking access to devices/data and address any issues based on additional detail provided.”

The vendor said the report is unnecessarily alarming patients.

The Muddy Waters report can be found at www.muddywatersresearch.com/research/stj/mw-is-short-stj/

For more information: sjm.com


Related Content

Boston Scientific's Apama multi-electrode ablation balloon to treat atrial fibrillation.

Boston Scientific's Apama multi-electrode ablation balloon to treat atrial fibrillation. The technology allows different energies to be used for each electrode to prevent damage to the esophagus or other underlying critical structures. 

Feature | Atrial Fibrillation | January 15, 2018 | Dave Fornell
The development of atrial fibrillation (AFib or AF) ablation technologies over the past 20 years has been a constant
Heart Rhythm Society Partners With WebMD Education to Increase Atrial Fibrillation Awareness
News | Atrial Fibrillation | January 02, 2018
The Heart Rhythm Society (HRS), in partnership with WebMD Education, announced in December the launch of a free, online...
The Boston Scientific Rhythmia Mapping System produces higher-density voltage maps without increasing overall procedure time.

The Boston Scientific Rhythmia Mapping System produces higher-density voltage maps without increasing overall procedure time. It was the first of a new generation of high-density mapping systems to be introduced.

Feature | Atrial Fibrillation | December 18, 2017 | Kenneth Stein, M.D. FACC FHRS
When I began practicing as an electrophysiologist in 1994, the dream of successfully using cardiac catheter ablation
Acutus dipole density EP mapping for ablation procedures.

The FDA recently cleared high-speed Acutus Medical's AcQMap High Resolution image and mapping system and the AcQMap 3-D Imaging and Mapping Catheter.  detects and displays both standard voltage-based and higher resolution dipole density (charge-source) maps. The system combines ultrasound anatomy construction with an ability to map the electrical-conduction of each heartbeat to identify complex arrhythmias across the entire atrial chamber. Following each ablation treatment, the heart can be re-mapped in seconds to continually visualize any changes from the prior mapping.



Feature | Atrial Fibrillation | November 07, 2017
November 7, 2017 — Here is an aggregated list of articles detailing the latest clinical data and new device technolog
The Watchman LAA occluder PREVAIL Trial 5-year results were presented at the 2017 TCT meeting.
Feature | Atrial Fibrillation | November 02, 2017
November 2, 2017 – Five-year results from the PREVAIL Trial comparing left atrial appendage closure (LAAC) with the B
UNC School of Medicine Receives $1.7 Million for Atrial Fibrillation Program Streamlining Patient Care
News | Atrial Fibrillation | October 23, 2017
October 23, 2017 — University of North Carolina (UNC) School of Medicine cardiologist Anil Gehi, M.D., will use a $1.
EMANATE Trial Shows Apixaban Lowers stroke in AF Patients Undergoing Cardioversion.
News | Atrial Fibrillation | September 01, 2017
September 1, 2017 — Apixaban lowers the risk of stroke compared to warfarin in anticoagulation-naïve patients with at
CASTLE-AF Study shows Catheter Ablation of Atrial Fibrillation is First-Line Treatment for Heart Failure Patients. Biotronic Ilivia 7 ICD.

The CASTLE-AF Study shows catheter alation of AF can be used effectively to treat heart failure in patients with an implanted ICD.

News | Atrial Fibrillation | September 01, 2017
September 1, 2017 — Final results from the CASTLE-AF study show a 38 percent reduction in the composite of all-cause
Overlay Init