FDA confirms that St. Jude’s cardiac devices can be hacked
SAN FRANCISCO — It’s official: Hearts can be hacked.
The FDA confirmed that St. Jude Medical’s implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks, the FDA said on Monday.
The devices, like pacemakers and defibrillators, are used to monitor and control patients’ heart functions and prevent heart attacks.
St. Jude has developed a software patch to fix the vulnerabilities, and it will automatically be applied to affected devices beginning Monday. To receive the patch, the Merlin@home Transmitter must be plugged in and connected to the Merlin.net network.
The FDA said patients can continue to use the devices, and no patients were harmed as a result of the vulnerabilities.
Abbott Laboratories, which recently acquired St. Jude in a deal worth $25 billion, said it has worked with the FDA and DHS to update and improve the security of the affected devices.
“Cybersecurity, including device security, is an industry-wide challenge and all implanted devices with remote monitoring have potential vulnerabilities,” Candace Steele Flippin, a spokeswoman for Abbott, told CNNMoney in an email. “As we’ve been doing for years, we will continue to actively address cybersecurity risks and potential vulnerabilities and enhance our systems.”
The vulnerability occurred in the transmitter that reads the device’s data and remotely shares it with physicians. The FDA said hackers could control a device by accessing its transmitter.
In August 2016, Muddy Waters founder Carson Block published a report claiming St. Jude’s devices could be hacked and said he was shorting the stock. St. Jude said the claims were “absolutely untrue,” and in September, it filed a lawsuit against the firm.
In a statement, Block said Monday’s announcement “vindicates” the firm’s research.
“It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities,” Block said. “Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”
The confirmation of St. Jude’s vulnerabilities is the latest reminder of how internet-connected devices can put health at risk. In December, the FDA published guidance for manufacturers on how to proactively address cybersecurity risks.