The U.S. Food and Drug Administration (FDA) has now joined the investigation into security claims that devices made by St. Jude Medical can be hacked remotely. These claims are still being defended by St. Jude. Muddy Waters Capital, an investment group, says that St. Jude Medical pacemakers and defibrillators are particularly vulnerable to remote computer […]
The U.S. Food and Drug Administration (FDA) has now joined the investigation into security claims that devices made by St. Jude Medical can be hacked remotely. These claims are still being defended by St. Jude. Muddy Waters Capital, an investment group, says that St. Jude Medical pacemakers and defibrillators are particularly vulnerable to remote computer hacking, which could disable these lifesaving machines.
Doctors and government regulators agree it is too soon to know if the claims that involve hundreds of thousands of St. Jude devices, are true. It is confirmed by the FDA it is working with the Homeland Security Department on the investigation. Currently, the advice from Muddy Waters that patients’ wireless communications be disabled, are largely rejected by doctors and regulators.
FDA spokeswoman Andrea Fischer said in an e-mail, “At the present time, patients should continue to use their devices as instructed and not change any implanted device. FDA will provide updates as we learn more. In the interim, if a patient has a question or concern they should talk with their doctor.”
MedSec Holdings is the private cybersecurity firm that alerted Muddy Waters to the alleged hacking weaknesses in St. Jude devices. Muddy Waters also announced it would profit if St. Jude stock declined in price, and showed that St. Jude devices appeared to be more vulnerable to attacks than those of other manufacturers.
Critics say the security flaw involves Merlin@home, a device made to be able to read patient data from a pacemaker or defibrillator remotely in the patient’s home and transmit it to a doctor’s office. Muddy Waters claims lax cybersecurity in the St. Jude devices would allow a hacker to send commands to pacemakers or defibrillators that would be able to drain the battery or interfere with proper functioning.
Several doctors said in an interview that they are not recommending changes to medical procedure, such as unplugging the Merlin@home or avoiding St. Jude devices, as the Muddy Waters allegations have not been verified with published date. Doctors said they were particularly skeptical as the claims come from a group with financial motives.