The Food and Drug Administration has found cybersecurity vulnerabilities with a St. Jude Medical cardiovascular device that faced scrutiny from short-sellers last summer who claimed the device was vulnerable to hacks.
The FDA found that St. Jude Medical's Merlin@home Transmitter could be hacked by an unauthorized user which could lead to rapid battery depletion and inappropriate pacing or shocks to a patient's cardiac device. But the FDA said the device can still be used, adding that the health benefits of the cardiac device “outweigh the cybersecurity risks.”
In order to address the risk, St. Jude Medical has developed a software patch that will be automatically applied Monday to all Merlin@home Transmitters, the FDA report said. The FDA assessed the software patch and determined it reduces the risk of cyber hacking.
No patient has reported any harm related to cybersecurity threats.
In a prepared statement, St. Jude Medical said, “For years, St. Jude Medical has taken numerous measures to protect the security and safety of our devices as evidenced by regular updates and improvement to address the evolving cyber environment.”
The FDA probe was conducted after short-selling investment firm Muddy Waters and cybersecurity company MedSec Holdings issued a report in August 2015 that St. Jude's Merlin@Home Transmitter lacked “even the most basic forms of security.”
St. Jude officials consistently denied the allegations since the report published and sued both Muddy Waters and MedSec Holdings for their claims.
St. Paul, Minn.-based St. Jude Medical was acquired last week by Abbott Laboratories in a $25 billion deal.