The medical device maker pushed out a patch for its implantable cardiac devices.
The Food and Drug Administration has revealed potential vulnerabilities in St. Jude Medical’s implantable cardiac devices.
The agency on Monday confirmed flaws in the Merlin@home Transmitter, leaving embedded pacemakers and defibrillators open to attack. According to the FDA, an unauthorized user could remotely access a patient’s radio frequency-enabled implant, then modify programming commands to quickly deplete the battery or administer inappropriate pacing or shocks.
In an effort to address these risks, St. Jude Medical this week pushed out a software patch that includes additional validation and verification between the device and Web platform. It will be applied automatically when the Merlin@home Transmitter is plugged in and connected to the Merlin.net network.
“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” Ann Barron DiCamillo, advisor to St. Jude Medical’s Cyber Security Medical Advisory Board, said in a statement.
There are no incidents, to date, of cyber attacks related to St. Jude Medical devices. Moving forward, the FDA will continue to assess the cybersecurity of St. Jude Medical’s implantable cardiac devices and the Merlin@home Transmitter. The manufacturer, meanwhile, has also partnered with the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit.
“We are continuously reassessing and updating our devices and systems, as appropriate,” St. Jude Medical Chief Technology Officer Phil Ebeling said. “The safety and security of patients is always our prime focus.”