St. Jude Medical ICDs with Merlin@home Transmitter Can be Hacked, FDA Warns
The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) are warning that St. Jude Medical heart devices using Merlin@home wireless transmitters are susceptible to cybersecurity threats. The FDA addressed the issue in a Jan. 9, 2017 Safety Communication. The devices in question are implantable cardiac devices (ICDs), such as pacemakers, defibrillators and resynchronization devices.
Parker Waichman LLP is a national personal injury law firm with decades of experience representing clients in medical device litigation. The firm continues to offer free legal consultations to individuals with questions about filing a St. Jude Medical ICD lawsuit.
ICDs provide pacing for patients with a slow heart beat and send an electrical shock in patients with a dangerously fast heart rhythm. These devices, which are implanted under the skin in the upper chest, are attached to the heart through insulated wires, or leads.
The Merlin@home Transmitter connects to St. Jude ICDs to wirelessly transfer patient data to his or her physician. The system, which is placed inside the patient’s home, transmits and receives radio frequency (RF) signals. The transmitter sends data through a landline, cellular or wireless internet connection. The Merlin.net Patient Care Network allows doctors to monitor a patient’s ICD function.
The FDA warned that St. Jude ICDs connected to the Merlin@home Transmitter are vulnerable to hackers, who can potentially access the ICD through the transmitter. The cybersecurity threat means that someone could modify the device in ways that harm the patient, such as cause rapid batter depletion. The agency states that so far, no patients have been injured due to these cybersecurity issues.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter.” FDA says in its Safety Communication. “The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”
FDA says it will continue to review cybersecurity vulnerabilities in St. Jude ICDs with the Merlin@home Transmitter. The agency notes that medical devices are increasingly using wireless communications to transmit data easily and automatically. The FDA notes that “any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.”
Dept. of Homeland Security Issues Advisory for St. Jude ICDs
The ICS-CERT also released an advisory warning of cybersecurity threats with St. Jude ICDs and the Merlin@home Transmitter. In a notification dated Jan. 9, 2017 the agency said that the devices were susceptible to a “man-in-the-middle” cybersecurity attack. “An attacker with high skill would be able to exploit this vulnerability,” the agency said.
ICS-CERT conducted a review of the issue and scored the cybersecurity threat as an 8.9 out of 10 on the common vulnerability scoring system version 3.0. A “critical” vulnerability includes scores of 9.0 and higher.
The cybersecurity vulnerabilities were brought to light by Muddy Waters Research agency, who released a report on the issue in August 2016. The FDA has been collaborating with the ICS-CERT following the report. Both agencies acknowledge that the vulnerabilities pose a serious risk to patients if exploited. However, they also note that there have been no such cases so far.
Angela Stark, spokesperson for the FDA, said to Focus that “The agency’s investigation confirmed that St. Jude Medical’s Merlin@home Transmitter contains cybersecurity vulnerabilities. Certain vulnerabilities present greater risk of patient harm and the FDA’s actions to date have focused on addressing those risks first,”
According to the agencies, St. Jude has released a software update that reportedly addresses the cybersecurity vulnerabilities.
Legal Help for St. Jude Medical ICD Recipients
Parker Waichman has years of experience representing clients in numerous medical device injury lawsuits. If you or someone you know was implanted with a St. Jude Medical Implantable Cardiac Device with a Merlin@home Transmitter, you may have valuable legal rights. Our firm offers free, no-obligation case evaluations. For more information, fill out our online form or call 1-800-YOURLAWYER (1-800-968-7529).