FDA Issues Safety Advice for Cardiac Device Over Hacking Threat

No hacking has yet been reported for the cardiac device.

A wireless transmitter used to transmit data from cardiac devices to medical providers, the Merlin@home Transmitter made by St. Jude Medical was found to be vulnerable to online hacking, the FDA said.

The transmitter is placed in the home and can be used to monitor a variety of implantable cardiac devices including pacemakers, defibrillators or resynchronization devices and send health data back to a medical provider or the patient. The transmitter also allows doctors to change the device settings remotely.

With the new software patch, the FDA "determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks."

Thomas Lewis, a practice leader of LBMC Information Security, said the benefits of being able to monitor implanted medical devices wirelessly has helped patients tremendously. But it has also increased the risk that devices could be hacked.

"It allows providers to have a 24/7 look at how a patient is doing and that's invaluable when you talk about treatment," said Lewis. However, the continued challenge will be for providers to constantly stay ahead of any malicious actors looking for vulnerabilities on the devices.

"We typically see in emerging technology they aren't as tested and vetted quite as much from a security perspective," said Lewis. He pointed out that protecting these devices from hackers will require providers to constantly test the devices for weaknesses.

Patients with the transmitter are advised to continue a normal routine of check-ups with their doctor and to keep their transmitter connected to WiFi so that it can automatically upgrade with the new software patches. Patients with questions can contact St. Jude Medical's Merlin@home customer service at 1-877-My-Merlin.

"The safety and security of patients is always our primary focus," Phil Ebeling, vice president and chief technology officer at St. Jude Medical said in a statement. "We’ll continue to work with agencies, security researchers, physicians and others in the industry in a coordinated way to develop best practices and standards that further enhance the security of devices across the medical industry."