The U.S. Food and Drug Administration (FDA) announced that the St. Jude Medical’s radio frequency (RF)-enabled implantable cardiac devices and Merlin@home Transmitter may be vulnerable to cybersecurity breaches. The FDA, although confirming there is a risk for a breach, has made clear that at this time, they have not received any reports of patients experiencing any injury linked to the cybersecurity vulnerabilities.
Concerns about Unauthorized Users
The concern is the potential risk for the cardiac devices to be remotely accessed by someone other than the authorized user that may not be a physician. For example, the Merlin@home Transmitter, if accessed by an unauthorized user, may be used to modify programming to the implanted device. According to the FDA statement, this could result in the administration of inappropriate shocks or pacing, or premature battery depletion.
Parker Waichman LLP has successfully represented individuals who have suffered from injuries allegedly associated with medical devices.
Software Patch to Combat Risk
St. Jude Medical has developed a software patch for the Merlin@home Transmitter that deals with the risk of specific cybersecurity issues. The patch was made available January 9, 2017 and is applied automatically to the Merlin@home Transmitter, notes the FDA statement.
The only requirement to receive the patch is for patients and caregivers to make sure their Merlin@home Transmitter remains plugged in and connected to the Merlin.net network. In addition, the FDA remarked that the St. Jude Medical’s implantable cardiac devices contain configurable embedded computer systems that may be vulnerable to cybersecurity exploits and intrusions.
Since medical devices are becoming increasingly interconnected by way of the Internet, hospital networks, smartphones, or other medical devices, there is a greater risk of exploitation of cybersecurity vulnerabilities, that may influence how a medical device performs. What this means is that any medical device linked to a communications network such as wi-fi, public or personal Internet, may have cybersecurity susceptibility to hacking by unauthorized users.
Previous St. Jude Medical Device Vulnerability Issues
The FDA participated in an investigation working together with the Homeland Security Department when there were claims in the summer of 2016 that medical devices can be hacked remotely. Muddy Waters Capital, an investment group, maintains that St. Jude Medical defibrillators and pacemakers are especially vulnerable to remote hacking, which may disable the lifesaving devices.
An FDA spokeswoman, Andrea Fischer said that patients should continue using their devices as instructed and not change any implanted device. She assured everyone that the FDA will provide updates, and with any concerns the patient might have, they should consult their doctor.
The security flaw involved the Merlin@home device. The design makes it possible to read patient data from a pacemaker or defibrillator remotely in the home and transmit the information to a doctor’s office.
The lax cybersecurity in St. Jude devices could have allowed a hacker to send commands to one of St. Jude’s (STJ) pacemakers or defibrillators that could then drain the battery or interfere with proper functioning. It was also alleged by Muddy Waters, that the vulnerabilities could allow a hacker to launch a “large scale” attack on St. Jude’s large Merlin network, which connects to all active @home machines.
Muddy Waters and MedSec (a cybersecurity researchers’ group) took the devices apart and claimed that some seemed to have “off the shelf” components. The hackers also told that a lack of encryption of some data made the devices easier to compromise.
“One of the purposes of this report is unapologetically to single out STJ for what we see as its incompetence in, or indifference to, device security,” the Muddy Waters report said. “MedSec and Muddy Waters believe it is prudent from a security standpoint for STJ to disable the [wireless communications] capability of patients’ implanted devices.”
St. Jude Medical 2016 Recall
In October 2016, the FDA announced a Class 1 category for a St. Jude Medical recall involving hundreds of thousands of implantable, cardioverter defibrillators (ICDs). A Class 1 recall is the most serious type of recall and use of the device in question may cause serious injuries or death. The problem the led to the St. Jude recall was premature battery depletion, reported Qmed News.
St. Jude had previously reported two deaths that were caused by early lithium battery depletion. The rapid depletion was caused allegedly, by deposits of lithium forming within the battery. The “lithium clusters” may cause a short circuit to occur, creating a potentially dangerous situation.
Do You Seek Legal Advice Concerning a Medical Device?
If you or someone you know has been affected by a medical device injury, you may have valuable legal rights. Parker Waichman LLP is a nationwide, renowned personal injury law firm that has successful experience handling medical device cases. We urge you to contact the Parker Waichman medical device injury attorneys at 1-800-YOURLAWYER (1-800-968-7529).