Federal regulators warned this week that select cardiac devices made by St. Jude Medical could be susceptible to cyberattacks.
The Food and Drug Administration reported that the Minnesota-based medical device maker’s Merlin@home radio-frequency enabled devices could be accessed and modified by hackers — including improperly pacing or shocking patient heartbeats or depleting the device’s battery.
The devices, including pacemakers, defibrillators and resynchronization devices, are implanted under the skin with wires connecting to the heart. A home monitor then wirelessly transmits and receives radio frequency signals to and from the device to regulate hearts that beat too slowly or quickly or treat patients in heart failure.
Data is also sent through an internet connection to the patient’s physicians through the company’s Merlin.net Patient Care Network.
The FDA reported that an unauthorized user could exploit cybersecurity vulnerabilities to alter the transmitter and modify commands to the implanted device.
The agency also noted that St. Jude automatically sent a security patch to address the issue starting Monday, and that it did not receive any reports of patients harmed by the security weaknesses.
St. Jude officials characterized the risk as “extremely low” and noted that all remote-monitoring devices are “exposed to the risk of a potential cyber security attack.” The company also touted its work with the FDA and other oversight agencies and said that its actions demonstration “that St. Jude Medical takes cyber security seriously.”
“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” St. Jude cyber security adviser Ann Barron DiCamillo said in a statement.