FDA issues warning about hackable Implantable Cardiac Devices

12 January 2017

Change your heart rate

Hackers could have gained remote access to one’s implanted cardiac device, and have the possibility to change the heart rate, administer shocks, or quickly deplete the battery. There have no accidents regarding this reported so far, the FDA said. St. Jude Medical's implantable cardiac devices are put under the skin, in the upper chest area, and have insulated wires that go into the heart to help it beat properly.

The devices are connected to the Merlin@home Transmitter, which the patient keeps in his house. The transmitter sends the patient's data to their physician using the Merlin.net Patient Care Network. Hackers could have exploited the transmitter, the manufacturer confirmed. “It could be used to modify programming commands to the implanted device,” the FDA safety communication reads.

An e-mail from a St. Jude Medical representative states that the company "has taken numerous measures to protect the security and safety of our devices," including the new patch, and the creation of a "cyber security medical advisory board." The company plans to implement additional updates in 2017, the email said.

The FDA warning came a few days after Abbott Laboratories completed the acquisition of St. Jude Medical. Four months ago, in august 2016, a group of experts at Miami-based cyber security company MedSec Holding published a paper explaining several vulnerabilities they found in St. Jude Medical’s pacemakers and defibrillators. They made the announcement at the end of August 2016, together with investment house Muddy Waters Capital.

Keys to the castle

“Merlin@homes generally lack even the most basic forms of security,” so can be read in the paper. MedSec experts wrote: “Key vulnerabilities can apparently be exploited by low level hackers. Incredibly, STJ has literally distributed hundreds of thousands of “keys to the castle” in the form of home monitoring units (called “Merlin@home”) that in our opinion, greatly open up the STJ ecosystem to attacks. These units are readily available on Ebay, usually for no more than $35.”

St. Jude Medical denied the claims in august, and sued Muddy Waters and MedSec. “The allegations are absolutely untrue,” CTO Phil Ebeling told Bloomberg. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.” St. Jude declined to comment on the ongoing litigation.

Muddy Waters is not amused by this update. According to them St. Jude Medical is more interested in profit than in patients. “The announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants,” a press statement reads. “Had we not gone public, St. Jude would not have remediated the vulnerabilities.”

Patch downloads automatically

The freshly released software patch that should address the problems is available and will automatically download to the transmitter. “Patients should make sure that their Merlin@home unit is plugged in and connected via landline or cellular adapter so they can receive these and any future automatic security updates,” so you can read in a press release from St. Jude Medical.

This is not the first time when physicians and cyber security experts have raised concerns regarding implanted medical devices. On oktober 6th ICT&Health published an article about an insulin pump from Johnson & Johnson that could easily be hacked. Former American Vice President Dick Cheney disabled his wireless capabilities of his heart implant a few years ago, fearing an assassination attempt.