FDA Issues Safety Advice for Cardiac Device Over Hacking Threat

— -- The U.S. Food and Drug Administration has issued new advice about how to safeguard implantable cardiac devices against hackers.

A wireless transmitter used to transmit data from cardiac devices to medical providers, the Merlin@home Transmitter made by St. Jude Medical was found to be vulnerable to online hacking, the FDA said.

While no hacking event has been reported, the possibility of tampering was so concerning St. Jude Medical worked with the FDA and the Department of Homeland Security to develop a software patch, which was released yesterday, to help protect the device and patients using it from hacking.

"Many medical devices —- including St. Jude Medical's implantable cardiac devices —- contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits," FDA officials said in a statement yesterday.

The transmitter is placed in the home and can be used to monitor a variety of implantable cardiac devices including pacemakers, defibrillators or resynchronization devices and send health data back to a medical provider or the patient. The transmitter also allows doctors to change the device settings remotely.

"As medical technology advances, it’s increasingly important to understand how innovation and cyber security impact physicians and the patients we treat," Dr. Leslie Saxon, chair of St. Jude Medical’s Cyber Security Medical Advisory Board, said in a statement. "We are committed to working to proactively address cyber security risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function."

With the new software patch, the FDA "determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks."

The FDA advisory comes as concern has been growing about how hacking could affect the medical field. In recent years multiple hospitals have paid ransom after 'ransomware' hacking left their medical files encrypted.

Thomas Lewis, a practice leader of LBMC Information Security, said the benefits of being able to monitor implanted medical devices wirelessly has helped patients tremendously. But it has also increased the risk that devices could be hacked.

"It allows providers to have a 24/7 look at how a patient is doing and that's invaluable when you talk about treatment," said Lewis. However, the continued challenge will be for providers to constantly stay ahead of any malicious actors looking for vulnerabilities on the devices.

"We typically see in emerging technology they aren't as tested and vetted quite as much from a security perspective," said Lewis. He pointed out that protecting these devices from hackers will require providers to constantly test the devices for weaknesses.

Patients with the transmitter are advised to continue a normal routine of check-ups with their doctor and to keep their transmitter connected to WiFi so that it can automatically upgrade with the new software patches. Patients with questions can contact St. Jude Medical's Merlin@home customer service at 1-877-My-Merlin.

"The safety and security of patients is always our primary focus," Phil Ebeling, vice president and chief technology officer at St. Jude Medical said in a statement. "We’ll continue to work with agencies, security researchers, physicians and others in the industry in a coordinated way to develop best practices and standards that further enhance the security of devices across the medical industry."