St. Jude Medical's implantable cardiac devices are are getting software fixes as the FDA found them vulnerable to hacking, according to the company and a just-released agency safety communication.
The updates are for the Merlin@home Transmitter.
Story Continues Below Advertisement
Getinge is a leading global provider of innovative solutions for operating rooms, intensive-care units, hospital wards, sterilization departments, elderly care and for life sciences companies and institutions. Click to read more
The FDA stated that the vulnerabilities could allow a hacker to alter the transmitter, which “could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”
The agency noted that at this time, however, it knows of no reports of patient harm coming from these vulnerabilities.
Calling the risk of such an exploit “extremely low,” St. Jude Medical stated that, “in recognition of the changing cyber security landscape and the increased public attention on highly unlikely medical device cyber risks, we are informing the public about these ongoing actions so that patients can continue to be confident about the benefits of remote monitoring.”
The company took the step preemptively, St. Jude Medical’s Cyber Security Medical Advisory Board advisor Ann Barron DiCamillo said in a statement.
“We’ve partnered with agencies such as the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit, and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.
To date there have been seven software updates in the last 36 months to the Merlin@home transmitter.
The latest one included more secure “validation and verification between the Merlin@home device and Merlin.net.”
The upgrade was done in collaboration with a number of agencies, including the FDA and the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT), stated the company.
“As medical technology advances, it’s increasingly important to understand how innovation and cyber security impact physicians and the patients we treat,” said Dr. Leslie Saxon, chair of St. Jude Medical’s Cyber Security Medical Advisory Board.
St. Jude Medical became part of Abbott
on January 4.
The deal boosts Abbott's presence in a number of key sectors, including cardiovascular and neuromodulation patient care, by bringing into the fold St. Jude Medical's assets in atrial fibrillation, heart failure, structural heart, and chronic pain arenas. These combine with Abbott's own assets in coronary interventions and mitral valve disease.