FDA issued a safety communication on January 9, 2017, detailing St. Jude Medical products that could be vulnerable to cyber threats. These threats could result in rapid battery depletion or administration of inappropriate pacing or shocks—potentially lethal outcomes. FDA noted that there have been no reports of patient harm related to the cybersecurity risks.
The news comes after months of St. Jude Medical and short-selling investment firm Muddy Waters arguing over claims that St. Jude cardio devices are especially at risk of hacking.
Concurrent with the FDA safety missive, St Jude Medical issued a patch for its implantable cardiac devices and the Merlin@home transmitter. The patch was automatically applied affected devices.
St Jude Medical, which officially became part of Abbott Laboratories on Jan. 4, has seen its share of public relations/cybersecurity nightmares, starting in August of 2016. Muddy Waters published a report detailing how hackers might crash the devices or cause battery drain. Yesterday, following the announcement, Muddy Waters issued a statement as follows:
After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters. This long-overdue acknowledgement, just days after completion of St. Jude’s sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.
It is worth noting that news out of FDA could potentially affect the lawsuit St. Jude has filed against Muddy Waters in federal court in Minneapolis, although at press time, there were no changes.
And even though Muddy Waters clearly feels vindicated, let’s not forget that no one in this story really smells like roses. As MDO discussed last year in a podcast, both MedSec, the cybersecurity research firm, and Muddy Waters are in an ethical gray area with such whistleblowing tactics.
FDA’s response, plans moving forward
FDA has rarely issued specific cybersecurity threats, and this action means we will probably see more. This one comes on the heels of FDA’s final guidance on cybersecurity, which was released on Dec. 27, 2016. The Postmarket Management of Cybersecurity in Medical Devices Final Guidance recommends an “all-out, life-cycle” approach for managing postmarket cybersecurity vulnerabilities, according to FDA’s associate director Suzanne Schwartz.
Schwartz advised device makers in her blog to build controls right from the beginning of design and development, and to remain vigilant throughout the lifecycle of a product.
[Want to stay more on top of MDO content? Subscribe to our weekly e-newsletter.]