St. Jude Medical Patches Cardiac Machine's Cybersecurity Flaw
Jan 11, 2017 9:51 AM PT
Medical device maker St. Jude Medical on Monday began deploying software designed to protect its remote monitoring system for implantable pacemaker and defibrillator devices.
The move came on the heels of the U.S. Food and Drug Administration's warning that the company's Merlin@home Transmitter contained vulnerabilities that could be exploited by hackers.
Merlin@home wirelessly communicates with implanted cardiac devices. It gathers data and sends it to a physician over the Merlin.net Patient Care Network via a continuous landline, cellular or Internet connection.
An unauthorized user could exploit the vulnerabilities in Merlin@home to modify commands to an implanted device, which could result in rapid battery depletion or administration of inappropriate pacing or shocks, the FDA explained.
There have been no reports of patient harm related to these cybersecurity vulnerabilities, the agency noted.
Benefits Outweigh Risks
St. Jude Medical has created a software patch, which is now available, to address the security flaws in the Merlin@home Transmitter, the FDA said. It will be installed automatically when the Merlin@home device is plugged in and connected to the Merlin.net Patient Care Network.
The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by the cybersecurity vulnerabilities, thus reducing the risk of exploitation and subsequent patient harm, according to the agency's alert.
The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter and determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.
The new patch includes additional validation and verification between the Merlin@home device and Merlin.net, St. Jude Medical explained.
"There has been a great deal of attention on medical device security, and it's critical that the entire industry continually enhances and improves security while bringing advanced care to patients," said Ann Barron DiCamillo, an adviser to St. Jude Medical's Cyber Security Medical Advisory Board.
The coordination between the FDA and St. Jude Medical is laudable, observed Alfred Chung, senior product manager at Guidance Software.
"As the number and type of devices connected to the Internet grows, so does the risk of cyberattack," he told TechNewsWorld. "Threats against medical facilities and devices are especially alarming, given the potential for physical harm or even loss of life."
Since the healthcare industry can expect to be in the sights of hackers, it's critical for device makers, healthcare institutions and government to cooperate, Chung maintained.
"In this case, St. Jude demonstrated how seriously they take cybersecurity, immediately releasing a patch to address the problem and coordinating clear communications with the public," he said.
Although there's the potential of severe harm to Merlin@home users if anyone should tamper with the devices, the risk of that happening is small, observed Lysa Myers, a security researcher at Eset.
"The likelihood for the average person is likely to be very low, as most attacks are financially motivated, and there is very little monetary gain in going after implantable medical devices," she told TechNewsWorld.
"However, the severity if a vulnerable device were to be attacked is quite high," she added, "as the problems it could cause could be fatal."
There's a money angle that could be worked by Net bottom feeders, though, suggested Arxan Vice President of Research Aaron Lint.
"This new echelon of body-interfacing IoT devices, like connected pacemakers, have the ability to cause direct physical harm. That could be effectively used as leverage against someone financially," he told TechNewsWorld.
"Take a moment to consider the ramifications of body-level ransomware," Lint said.
There's been much news lately about exploiting flaws in devices connected to the Internet so they can be enlisted into robot armies used to launch crippling distributed denial of service attacks on websites or the Internet itself. Could medical devices be used that way?
"It's very likely," said Erik Knight, CEO of SimpleWan.
"Since you can't exactly monitor or install antivirus on these IoT devices, no one really knows what they're doing," he told TechNewsWorld.
However, medical devices are not the ideal vehicles for DDoS attackers who want to avoid tipping off owners that their devices have been hijacked, argued Eset's Myers.
"There are so many unsecured IoT devices as well as mobile devices and traditional computers that they could use instead," she pointed out.
"If all of a sudden a bunch of people with medical devices came into hospitals with batteries that had run down way more quickly than usual," said Myers, "that would cause quite an uproar."