Cybersecurity

St. Jude Medical Patches Cardiac Machine’s Cybersecurity Flaw

Medical device maker St. Jude Medical on Monday began deploying software designed to protect its remote monitoring system for implantable pacemaker and defibrillator devices.

The move came on the heels of the U.S. Food and Drug Administration’s warning that the company’s Merlin@home Transmitter contained vulnerabilities that could be exploited by hackers.

Merlin@home wirelessly communicates with implanted cardiac devices. It gathers data and sends it to a physician over the Merlin.net Patient Care Network via a continuous landline, cellular or Internet connection.

An unauthorized user could exploit the vulnerabilities in Merlin@home to modify commands to an implanted device, which could result in rapid battery depletion or administration of inappropriate pacing or shocks, the FDA explained.

There have been no reports of patient harm related to these cybersecurity vulnerabilities, the agency noted.

Benefits Outweigh Risks

St. Jude Medical has created a software patch, which is now available, to address the security flaws in the Merlin@home Transmitter, the FDA said. It will be installed automatically when the Merlin@home device is plugged in and connected to the Merlin.net Patient Care Network.

The FDA has reviewed St. Jude Medical’s software patch to ensure that it addresses the greatest risks posed by the cybersecurity vulnerabilities, thus reducing the risk of exploitation and subsequent patient harm, according to the agency’s alert.

The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter and determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.

The new patch includes additional validation and verification between the Merlin@home device and Merlin.net, St. Jude Medical explained.

“There has been a great deal of attention on medical device security, and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said Ann Barron DiCamillo, an adviser to St. Jude Medical’s Cyber Security Medical Advisory Board.

Critical Cooperation

The coordination between the FDA and St. Jude Medical is laudable, observed Alfred Chung, senior product manager at Guidance Software.

“As the number and type of devices connected to the Internet grows, so does the risk of cyberattack,” he told TechNewsWorld. “Threats against medical facilities and devices are especially alarming, given the potential for physical harm or even loss of life.”

Since the healthcare industry can expect to be in the sights of hackers, it’s critical for device makers, healthcare institutions and government to cooperate, Chung maintained.

“In this case, St. Jude demonstrated how seriously they take cybersecurity, immediately releasing a patch to address the problem and coordinating clear communications with the public,” he said.

Ransomware Potential

Although there’s the potential of severe harm to Merlin@home users if anyone should tamper with the devices, the risk of that happening is small, observed Lysa Myers, a security researcher at Eset.

“The likelihood for the average person is likely to be very low, as most attacks are financially motivated, and there is very little monetary gain in going after implantable medical devices,” she told TechNewsWorld.

“However, the severity if a vulnerable device were to be attacked is quite high,” she added, “as the problems it could cause could be fatal.”

There’s a money angle that could be worked by Net bottom feeders, though, suggestedArxan Vice President of Research Aaron Lint.

“This new echelon of body-interfacing IoT devices, like connected pacemakers, have the ability to cause direct physical harm. That could be effectively used as leverage against someone financially,” he told TechNewsWorld.

“Take a moment to consider the ramifications of body-level ransomware,” Lint said.

Robot Army

There’s been much news lately about exploiting flaws in devices connected to the Internet so they can be enlisted into robot armies used to launch crippling distributed denial of service attacks on websites or the Internet itself. Could medical devices be used that way?

“It’s very likely,” said Erik Knight, CEO of SimpleWan.

“Since you can’t exactly monitor or install antivirus on these IoT devices, no one really knows what they’re doing,” he told TechNewsWorld.

However, medical devices are not the ideal vehicles for DDoS attackers who want to avoid tipping off owners that their devices have been hijacked, argued Eset’s Myers.

“There are so many unsecured IoT devices as well as mobile devices and traditional computers that they could use instead,” she pointed out.

“If all of a sudden a bunch of people with medical devices came into hospitals with batteries that had run down way more quickly than usual,” said Myers, “that would cause quite an uproar.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

  • This is very worrisome to me because my Wife had a sudden cardiac arrest a few months ago and required a defibrillator/pacemaker implanted in her. We have a St Jude’s monitoring device and recently received a new data USB stick to connect to cellular connection. I wonder if this also is part of the improvement in security? It’s great to have the peace of mind of a remote monitoring device, but it does demonstrate the potential for others to do damage that could be fatal. It’s also scary to think we have one of these devices and end up reading about this security risk in the news rather than St Jude informing us through email or other contact.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

How confident are you in the reliability of AI-powered search results?
Loading ... Loading ...

Technewsworld Channels