Issue: February 2017
January 09, 2017
2 min read
Save

FDA: Health benefits of St. Jude Medical implantable devices outweigh cybersecurity risks

Issue: February 2017
You've successfully added to your alerts. You will receive an email when new content is published.

Click Here to Manage Email Alerts

We were unable to process your request. Please try again later. If you continue to have this issue please contact customerservice@slackinc.com.

The FDA issued a safety communication indicating that cybersecurity risks identified in certain St. Jude Medical implantable cardiac devices with remote monitoring do not outweigh the health benefits of the devices.

The agency stated it has reviewed a software patch developed by St. Jude Medical, which was recently acquired by Abbott, and concluded that it reduces risk for hacking and patient harm. The patch is currently available.

According to the statement, the agency is not aware of any confirmed cybersecurity risks related to the devices. St. Jude Medical stated in a press release that it is not aware of any such incidents.

The FDA stated that its review confirmed that the cybersecurity risks identified in devices with the Merlin@home Transmitter “if exploited, could allow an unauthorized user ... to remotely access a patient’s [radiofrequency]-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”

However, the agency stated, “The health benefits to patients from continued use of the device outweigh the cybersecurity risks.”

Clinicians treating patients with the device should conduct normal in-office follow-up with the patients and remind them to keep their device connected to ensure all patches and updates are received, the agency stated.

Patients and caregivers should continue to follow all labeling instructions and keep the device connected, and should consult with their physician for routine care and follow-up, according to the safety communication.

To address further questions, clinicians, patients and caregivers should contact the Merlin@home customer service line at 877-My-Merlin (696-3754) or visit www.sjm.com/Merlin, the agency stated.

The agency said it will “continue to assess new information concerning the cybersecurity of St. Jude Medical’s implantable cardiac devices and the Merlin@home Transmitter, and will keep the public informed if the FDA’s recommendations change.”

Although any medical device connected to a wireless communications network can have vulnerabilities related to cybersecurity, it “can also often offer safer, more efficient, convenient and timely health care delivery,” the agency stated.

In its press release, St. Jude Medical stated the patch includes “security updates that complement the company’s existing measures and further reduce the extremely low cybersecurity risks.”

“As medical technology advances, it’s increasingly important to understand how innovation and cybersecurity impact physicians and the patients we treat,” Leslie A. Saxon, MD, chair of St. Jude Medical’s cybersecurity medical advisory board and executive director of the University of Southern California Center for Body Computing, said in the company release. “We are committed to working to proactively address cybersecurity risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function.”

Leslie A. Saxon, MD
Leslie A. Saxon

The issue was made public after an announcement by Muddy Waters Capital LLC that the firm would short St. Jude Medical’s stock based on findings from MedSec, a cybersecurity firm, that devices with the Merlin@home Transmitter were susceptible to hacking. St. Jude Medical sued four entities and three individuals involved with making the allegations.

Disclosure: Saxon reports serving on an advisory board for St. Jude Medical.