St. Jude finds more medical device flaws, releases updated patches
St. Jude Medical announced that a third-party security research firm has found more flaws in the Merlin@home Transmitter medical device. It has patched the vulnerabilities, which leave the device exposed to a man-in-the-middle attack.
The organization released the update Monday for the Merlin@home inductor models - increasing the number of vulnerable devices of the same model patched with its Jan. 9 advisory. The Merlin@home cardiac devices allows remote care management for patients with scheduled transmissions, patient-initiated transmissions and daily monitoring.
The vulnerability can allow a hacker to exploit the device to access or influence communication between the device and Merlin.net, according to the ICS-CERT advisory. St. Jude issued an update to fix the vulnerability.
All Merlin@home devices prior to the 8.22 RF model EX1150, inductive models EX1100 and a MerlinOnDemand-compatible EX1100 model are vulnerable to these attacks. Officials said the updated transmitter software will roll over the next few months. Users should leave their devices connected to the internet to receive the update.
St. Jude has been in the hot-seat since the fall, when Muddy Waters and security firm Med Sec made the damning charge St. Jude’s heart devices contained flaws that put patient lives at risk. In January, St. Jude finally admitted it had found seven flaws in its cardiac devices, just as Med Sec had purported.
While the organization fumbled the initial reaction to the discovered flaws, it appears St. Jude is making an effort to correct the vulnerabilities to protect patient lives.