FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked

The U.S. Food and Drug Administration (FDA) issued a safety communication Tuesday about cybersecurity flaws in certain St. Jude Medical cardiac devices and the [email protected] transmitter after it was confirmed the devices could potentially be remotely accessed by unauthorized individuals.

The FDA confirmed that unauthorized users could “remotely access a patient’s RF-enabled implanted cardiac device by altering the [email protected] Transmitter,” potentially causing patients to be harmed. The flaws would allow an attacker to deplete the battery on implanted devices, alter pacing, or trigger shocks.

The FDA confirmed that there have been no reported instances of the cybersecurity flaws being exploited to cause harm to patients to date and patients have been advised to continue using the devices as instructed by their healthcare providers.

A patch to address the flaws has been developed and will be automatically applied this week. However, in order for the [email protected] device to receive the update it must be left plugged in and connected to the Merlin Network.

The cybersecurity vulnerabilities were discovered by researchers at MedSec as part of a study into cybersecurity measures used to protect implantable medical devices. MedSec passed on details of the research to Muddy Waters last summer. In August 2016, Muddy Waters published a report criticizing St. Jude Medical for allowing ‘stunning cybersecurity flaws’ to remain unaddressed in its [email protected] system and its associated defibrillators and pacemakers. St. Jude Medical denied the claims and sued Muddy Waters for disseminating ‘false and misleading’ information.

However, since the revelations were made in August, Abbott Laboratories, which recently acquired St. Jude Medical in a $25 billion deal, has been conducting its own investigations into device security. Abbott Laboratories has worked closely with both the FDA and the Department of Homeland Security to ensure that its pacemakers, defibrillator devices, and their associated systems are adequately protected and access by unauthorized individuals is blocked. The FDA has reviewed the software patch and has confirmed that it addresses the “greatest risks” and reduces the potential for exploitation and patient harm.

Carson Block, founder of Muddy Waters, issued a statement about the FDA announcement saying it “reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.” However, while critical security vulnerabilities have been addressed, Block said “the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”

In the safety communication, the FDA reminded consumers that “any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users.” The FDA went on to say “the increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.”

Cybersecurity Guidance for Medical Device Manufacturers

In December 2016, the FDA published its final cybersecurity guidance for medical device manufacturers. The document details measures that medical device manufacturers should adopt to ensure post-market devices are routinely assessed for vulnerabilities that could be exploited by hackers. The FDA released guidance in 2014 covering pre-market submissions for the management of cybersecurity in medical devices.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.