St Jude releases FDA-cleared Merlin@home cybersecurity update

Updated with comment from Muddy Waters.

Abbott (NYSE:ABT) subsidiary St. Jude Medical said today it launched a cybersecurity update for its Merlin@home remote monitoring system designed for use with implantable pacemakers and defibrillator devices.

The Little Canada, Minn.-based company said the move was made to “complement the company’s existing measures and further reduce the extremely low cybersecurity risks.”

“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients. Today’s announcement is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate,” St. Jude cybersecurity medical advisory board member & former U.S. CERT director Ann DiCamillo said in a press release.

St. Jude said it is not aware of any cybersecurity incidents related to its medical devices, and that none of its devices or systems have been the targets of such incidents.

The FDA, in its own press release, confirmed that there have been no reports of harm related to the vulnerabilities, but also warned that the weaknesses could be exploited.

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks,” the FDA wrote in its release.

The update comes after a string of accusations of poor cybersecurity associated with St. Jude’s cardiac devices from short-seller Muddy Waters.

Muddy Waters quickly responded to the update, calling out St. Jude on the cybersecurity flaws and claiming that the fix will not correct the largest vulnerabilities in the system.

“After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters. This long-overdue acknowledgement, just days after completion of St. Jude’s sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants,” the firm wrote in a response to St. Jude.

St. Jude said the update included additional validation and verification between the Merlin@home devices and Merlin.net, and that it collaborated with the FDA to implement the changes. The company also said it has additional updates planned for 2017.

“As medical technology advances, it’s increasingly important to understand how innovation and cyber security impact physicians and the patients we treat. We are committed to working to proactively address cyber security risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function,” St. Jude cybersecurity medical advisory board chair Dr. Leslie Saxon said in prepared remarks.

The FDA said it reviewed the software update, and that after an assessment of the device, determined that “the health benefits to patients from continued use of the device outweight the cybersecurity risks.” The Agency said it will continue to monitor the devices and update on any recommendation changes.

“We’ve partnered with agencies such as the U.S. Food and Drug Administration and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team unit and are continuously reassessing and updating our devices and systems, as appropriate. The safety and security of patients is always our primary focus. We’ll continue to work with agencies, security researchers, physicians and others in the industry in a coordinated way to develop best practices and standards that further enhance the security of devices across the medical industry,” St. Jude chief technology officer Phil Ebeling said in a prepared statement.

In August, St. Jude issued a strongly worded refutal of accusations made by a short-seller aiming to drive its share price down, denying the allegations and calling out Muddy Waters, the firm founded by well-known short-seller Carson Block, “irresponsible, misleading and unnecessarily frightening” to patients.

The short-seller aimed to disrupt the $25 billion acquisition of St. Jude by Abbott; in addition to betting on falling STJ shares, Block was long on ABT shares. His shop and a startup cybersecurity business called MedSec alleged that St. Jude’s implanted cardiac rhythm management devices posed a cybersecurity risk due to vulnerabilities in the Merlin@home monitor. The company immediately denied the charges and fired off a detailed rebuttal; in response, Muddy Waters claimed that St. Jude instead proved the short-seller’s assertions.