St. Jude admits security vulnerabilities in cardiac devices
St. Jude Medical released a set of cybersecurity updates for the Merlin remote monitoring system, which is used in its implantable pacemakers and defibrillators, on Jan. 9.
The improvements include updates to the system and are to be used with the St. Jude’s current measures to reduce, what company officials called, “extremely low cybersecurity risks.” All of the company’s medical devices are exposed to the risk of a potential cybersecurity attack.
This is surprising admittance, given the company’s firm refusal to admit to any of the flaws revealed in a September report from Muddy Waters and security firm MedSec that revealed the heart devices were vulnerable to attack and put patient lives at risk.
St. Jude has since been embroiled in a defamation lawsuit it filed against the companies. Officials accused Muddy Waters and Med Sec of releasing this information only for “financial gain and is unnecessarily frightening.”
The initial MedSec report claimed successful hacking attempts could drain battery life or manipulate a pacemaker’s beat rates. St. Jude’s stocks tanked as a result. But a second report released during trial reiterated these claims.
Further, the FDA confirmed the data found in these reports on Jan. 9. Officials reviewed the potential vulnerabilities and confirmed the accuracy: Hackers can gain access to these devices and make alterations to the programming.
“After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters,” Muddy Waters Founder Carson Block, said in a statement.
“This long-overdue acknowledgement, just days after completion of St. Jude’s sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients,” he continued. “It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.”
But despite these announced repairs, Block said it doesn’t address some of the major flaws revealed in the MedSec report - including the universal code that hands hackers the keys to these implants.
The Merlin at home transmitter software was updated three times in the last year, and will be immediately updated with the software patches. The update also includes additional validation and verification between the network and the device.
The company collaborated with the FDA, DHS ICS-CERT and other regulators during this software update and plans to release more throughout the year.
“There’s been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” Ann Barron DiCamillo, advisor to St. Jude Medical’s Cyber Security Medical Advisory Board, said in a statement.