A leading medical device-maker said Tuesday it is deploying a software program to fix “cyber vulnerabilities” involved with a cardiac implant system that federal officials say was open to potential hackers.
No one was harmed as a result of cyber insecurities identified by the U.S. Food and Drug Administration in St. Jude Medical’s Merlin@home system, designed to relay heart data from a cardiac implant to a bedside transmitter. The transmitter conveys data to a doctor’s computer. There was no evidence of hacking, agency officials say.
The Minnesota company announced that it is sending an electronic patch that is remotely repairing the breaches uncoveredby the FDA. The agency sent a public safety notice about the problem to doctors Monday night.
Even though no one was harmed, the potential to hack medical devices is becoming a genuine possibility as the instruments grow “increasingly interconnected via the internet, hospital networks, other medical devices and smartphones,” agency officials wrote in the notice.
The Merlin system is used worldwide, including by heart patients on Long Island and throughout the greater metropolitan area. It consists of a patient’s radio frequency-enabled cardiac implant, such as a pacemaker, which communicates wirelessly with the transmitter.
FDA investigators say they found potential cybersecurity risks with the transmitter, which reads the implant’s information. Agency officials say hackers could interfere with the transmitter to disrupt information relayed to the doctor.
The FDA advisory grew out of its investigation of the Merlin@home system that began last summer after an investment firm reported the St. Jude system could be hacked. The medical device company, which recently was acquired by Abbott Laboratories for $25 billion, is the maker of a vast array of sophisticated implants.
Dr. Nicholas Skipitaris, professor of cardiology at Hofstra Northwell School of Medicine, said patients should continue using their system as originally instructed.
“I was notified by the company. That’s how I found out,” said Skipitaris, who has relied on the Merlin system for patients in whom he has implanted pacemakers and other electronic cardiac devices.
Skipitaris, who is also director of electrophysiology at Lenox Hill Hospital in Manhattan, said the cyber vulnerabilities reported by the FDA would not have allowed a hacker to reprogram a patient’s pacemaker or other cardiac implant.
“I am telling my patients that this is a low-risk situation for them and that no one has been harmed,” Skipitaris said.
The company, meanwhile, said it is cooperating with the FDA and the Department of Homeland Security, which has a division involved with the cyber security of medical devices.
“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security,” said Ann Barron DiCamillo, an adviser to St. Jude Medical’s Cyber Security Medical Advisory Board.
A report by the Association for the Advancement of Medical Instrumentation in October defined the health care industry as “firmly in the crosshairs of hackers.” The report underscored that cybersecurity has become a major focus of medical device manufacturers.
The FDA began its investigation of the Merlin system in August after Carson Block, founder of the investment firm Muddy Waters, published a report claiming St. Jude’s devices could be hacked. Block said in a statement Tuesday that the FDA’s finding of cyber vulnerabilities vindicates his company’s research.
However, Block added that St. Jude’s fixes do not appear to address many of the larger problems that he has identified, “including the existence of a universal code that could allow hackers to control the implants.”
On Tuesday, Candace Steele Flippin, a St. Jude vice president, did not respond to a question about the so-called universal code, or whether such a code exists.
“For years, St. Jude Medical has taken numerous measures to protect the security and safety of our devices as evidenced by regular updates and improvement to address the evolving cyber environment,” she wrote.
Last month, the FDA published recommendations for manufacturers on how to address cybersecurity risks, noting that cyber piracy is a genuine possibility in an era when implants are capable of electronically reporting vital patient data via the internet.