FDA Confirms Cybersecurity Vulnerabilities with Certain St. Jude Medical ICDs

By MedTech Intelligence Staff

If exploited, unauthorized access to these devices could have dangerous consequences.

Medical device cybersecurity is a looming threat that often appears in the news. Hear industry experts discuss design, oversight, risk mitigation and containment at the Medical Device Cybersecurity conference, March 23–24, 2017 | LEARN MOREFDA has released a safety communication alerting physicians and patients to cybersecurity vulnerabilities related to St. Jude Medical’s radio frequency-enabled implantable cardiac devices and Merlin@home Transmitter. According to the agency, if the vulnerabilities are exploited an unauthorized user could remotely access the ICD by altering the transmitter, which could lead to changes in programming commands to the device and “rapid battery depletion and/or administration of inappropriate pacing or shocks.”

“Many medical devices—including St. Jude Medical’s implantable cardiac devices—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.” – FDA

To reduce the risk of these vulnerabilities, St. Jude Medical developed and validated a software patch for the Merlin@home Transmitter. Available as of January 9, the patch is automatically applied to the transmitter so long as the device is plugged in and connected to the network.

FDA will continue to assess cybersecurity vulnerabilities related to these St. Jude Medical products.

Related Articles

About The Author

MedTech Intelligence