FDA says St. Jude heart devices vulnerable to hacking

Federal regulators said Monday that scores of pacemakers and implantable heart defibrillators made by St. Jude Medical are vulnerable to computer hacking, but a security patch is ready to address the problem.

On Monday, the U.S. Food and Drug Administration published a public safety notice confirming it is possible for a hacker to remotely compromise security in St. Jude's wireless communication network and then secretly change commands in a pacemaker or implantable defibrillator while it's still wired to a patient's heart.

The potential for such attacks was first alleged by an investment firm last August. Such an attack could cause a lifesaving device to rapidly deplete its battery or give inappropriate electric shocks. However, federal officials stress there has never been a documented case of a cyberattack intended to harm a patient.

"As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates," the FDA's Monday safety alert says.

Cybersecurity researchers with the FDA and the Department of Homeland Security confirmed the vulnerabilities less than a week after St. Jude Medical was acquired by Illinois' Abbott Laboratories in a $23 billion deal. Abbott's announcement of the software patch was published under the old St. Jude logo.

"We've partnered with agencies such as the U.S. Food and Drug Administration and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team unit and are continuously reassessing and updating our devices and systems, as appropriate," said a statement from Phil Ebeling, the St. Jude executive who became chief technology officer for Abbott's cardiovascular-device business.

The investment firm that first publicized cybersecurity problems with St. Jude devices last August took a victory lap of sorts in public statements but also expressed skepticism about St. Jude's new software update.

The FDA announcement "reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities," said Carson Block, founder of financial research and trading firm Muddy Waters, which revealed the problems. "Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants."

Muddy Waters and the computer-security firm it worked with, MedSec Holdings, were strongly criticized after coming forward with their allegations. Muddy Waters also disclosed that it had taken a short position on St. Jude Medical stock, which means it stood to gain if investors drove down the price of the shares. Muddy Waters said it would pay MedSec from its investment profits.

Some security researchers said the hackers were endangering patients and acting unethically by not telling St. Jude about the problems first. St. Jude sued Muddy Waters and MedSec Holdings for defamation for alleging cybersecurity vulnerabilities. Muddy Waters and MedSec maintained that it was St. Jude who had imperiled patients by not taking basic security precautions.

"We eagerly await remediation efforts on the multitude of severe vulnerabilities that remain unaddressed, including the ability to issue an unauthorized command from a device other than the Merlin@home device," MedSec CEO Justine Bone said in a blog post Monday.

Merlin@home is a monitor that sits on a patient's bedside. It can wirelessly read information from an implanted pacemaker or defibrillator, like battery level and performance history, and then relay that information to a doctor.

On Monday, the Department of Homeland Security's industrial control systems cyber emergency response team issued an advisory that said a highly skilled hacker could remotely exploit a "Man in the Middle" vulnerability in a Merlin@home system to issue malicious commands.

Such a vulnerability happens when a digital system fails to properly authenticate the sender of remote messages, allowing hackers to impersonate an authentic source and then issue damaging commands to the pacemaker via the Merlin@home system.

The Homeland Security notice Monday said MedSec Holdings had correctly identified the "Man in the Middle" vulnerability in St. Jude devices. St. Jude has since confirmed the vulnerability and published new software that mitigates the problem, the Homeland Security notice said.

Merlin@home devices with software before version 8.2.2 are affected by the vulnerability, but the updated version should automatically upload in coming months. Patients must keep their at-home devices plugged in and connected to St. Jude's Merlin.net network to receive the patch.

"Keep in mind that although all connected medical devices, including this one, carry certain risks, the FDA has determined that the benefits to patients from continued use of the device outweigh the risks," the FDA's safety alert said.

A malicious computer attack intended to harm a patient has never been documented, either with St. Jude's devices or any other company's devices.

The med-tech industry has been pondering device cybersecurity since at least 2008, when researchers in Michigan first revealed in a paper that it was possible to hack an implanted pacemaker. Last year the FDA strongly discouraged hospitals from using Hospira's Symbiq drug pump because of cybersecurity concerns.

St. Jude says cybersecurity is part of its ongoing work — and has been for some time.

On Monday, the company disclosed that it has made seven security patches to its Merlin devices in three years as part of its continuous improvement process, and that its eighth will be published starting Monday.

"It's increasingly important to understand how innovation and cybersecurity impact physicians and the patients we treat," Dr. Leslie Saxon, who chairs St. Jude Medical's Cyber Security Medical Advisory Board, said in a statement. "We are committed to working to proactively address cybersecurity risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function."

Joe Carlson • 612-673-4779