Cybersecurity vulnerabilities in a St. Jude Medical cardiovascular device extend to a piece of equipment that is used within healthcare facilities, according to an update from the U.S. Department of Homeland Security.
DHS and the Food and Drug Administration said that hackers could deplete the battery of a St. Jude cardiac device or send inappropriate shocks to a patient by exploiting vulnerabilities in Merlin@home, a device that transmits device data to clinicians. In an update Tuesday, DHS released details on which Merlin models are affected by the vulnerability, including those used by clinicians.
Merlin transmitters used in medical offices have a MerlinOnDemand capability, which allows them to gather data from multiple implants within patients who are being seen by clinicians. These transmitters are deployed across the industry, but represent only 0.1% of all transmitters worldwide, according to the alert.
St. Jude was acquired by Abbott Laboratories late last year for $25 billion. The initial alerts from the FDA and DHS regarding the Merlin@home vulnerability came less than a week after the acquisition was completed.
A St. Jude spokeswoman said MerlinOnDemand-enabled devices are receiving the same software upgrade that was announced in the initial alert in March. There are still no known instances of hackers exploiting this vulnerability, according to DHS.
"Physicians are not being asked to take any action," the spokeswoman said. "Because Merlin@home units with MerlinOnDemand capability are located in medical clinics, our field teams have led the work to update the units."
The update will be automatically installed on devices over a period of several months, as long as they are connected to Ethernet, WiFi, a cellular network or a landline. After releasing a software patch in response to the initial federal alert in January, the company said it would be implementing additional updates throughout this year to address remaining vulnerabilities.
St. Jude still has many other flaws with this device and with other devices across its product offerings, said Justine Bone, CEO of MedSec Holdings, a cybersecurity firm that teamed up with short-selling investment firm Muddy Waters to publish a report that accused St. Jude devices of lacking “even the most basic forms of security.” St. Jude subsequently sued Muddy Waters, MedSec and three principals in those firms.
Bone said the update addresses only a small part of St. Jude's cybersecurity troubles. She alleged that there are direct vulnerabilities within the St. Jude cardiac devices, not just the security gaps in the Merlin@home transmitter. MedSec is calling on St. Jude to release an update specifically for the implants themselves.
The FDA said the benefits of using the device outweigh any risks. Bone agreed, noting that it's important for customers to continue using Merlin@home so that the device can monitor potential battery issues that may come after battery issues were reported in certain St. Jude defibrillators in October.
Bone said providers should be discussing cybersecurity issues during the contracting process for medical device procurement, and should be asking manufacturers for verification that basic security functionality is built into their devices. “Good manufacturers come up with documentation demonstrating it's built in,” Bone said.
Read Modern Healthcare's special report on cybersecurity, Building a Better Cyberdefense, for more information on how to protect your system from hackers.