Federal regulators warned this week that select cardiac devices made by St. Jude Medical could be susceptible to cyberattacks.
The Food and Drug Administration reported that the Minnesota-based medical device maker’s Merlin@home radio-frequency enabled devices could be accessed and modified by hackers — including improperly pacing or shocking patient heartbeats or depleting the device’s battery.
The devices, including pacemakers, defibrillators and resynchronization devices, are implanted under the skin with wires connecting to the heart. A home monitor then wirelessly transmits and receives radio frequency signals to and from the device to regulate hearts that beat too slowly or quickly or treat patients in heart failure.
Data is also sent through an internet connection to the patient’s physicians through the company’s Merlin.net Patient Care Network.

This Wednesday, July 22, 2015, file photo shows St. Jude Medical corporate headquarters, in Little Canada, Minn., just north of St. Paul. The Homeland Security Department is warning the public about an unusual cybersecurity flaw for one manufacturer’s implantable heart devices that could allow hackers to remotely take control of a person’s defibrillator or pacemaker. The U.S. says security patches will be rolled out automatically over several months to patients with affected St. Jude Medical device transmitters at home, as long as they are plugged into the network. The transmitters send device data back to medical professionals. Abbott Laboratories’ St. Jude says it’s not aware of any deaths or injuries related to the vulnerability, nor is it aware of any specific device or system that’s been targeted. (Glen Stubbe/Star Tribune via AP, File)
The FDA reported that an unauthorized user could exploit cybersecurity vulnerabilities to alter the transmitter and modify commands to the implanted device.
The agency also noted that St. Jude automatically sent a security patch to address the issue starting Monday, and that it did not receive any reports of patients harmed by the security weaknesses.
St. Jude officials characterized the risk as “extremely low” and noted that all remote-monitoring devices are “exposed to the risk of a potential cyber security attack.” The company also touted its work with the FDA and other oversight agencies and said that its actions demonstration “that St. Jude Medical takes cyber security seriously.”
“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” St. Jude cyber security adviser Ann Barron DiCamillo said in a statement.