The agency warned that a vulnerability within the Merlin@home system could allow a third party to remotely “access or influence communications” between Merlin.net and transmitter endpoints, which could drain the battery or send inappropriate electric pulses to patient devices.
The federal body released data on which models are affected, including RF Models EX1150 and inductive models EX1100 and EX1100 with MerlinOnDemand capability.
The DHS included clinician operated Merlin@home equipment, specifically transmitters, in its warning, though the agency mentioned that the devices only represent 0.1% of all transmitters worldwide.
“ICS-CERT recommends that patients and healthcare providers evaluate the impact of this vulnerability based on their specific usage after reviewing the information referenced in this advisory and to contact the vendor for assistance with any questions or concerns related to this vulnerability,” the DHS wrote in its updated advisory.
The DHS did acknowledge St. Jude’s update to correct the vulnerabilities with its Merlin@home remote monitoring system designed for use with implantable pacemakers and defibrillator devices, which was released early last month.
The company said the move was made to “complement the company’s existing measures and further reduce the extremely low cybersecurity risks.”
St. Jude said it is not aware of any cybersecurity incidents related to its medical devices, and that none of its devices or systems have been the targets of such incidents.
The FDA, in its own press release, confirmed that there have been no reports of harm related to the vulnerabilities, but also warned that the weaknesses could be exploited.
The update comes after a string of accusations of poor cybersecurity associated with St. Jude’s cardiac devices from short-seller Muddy Waters.
Muddy Waters quickly responded to the update, calling out St. Jude on the cybersecurity flaws and claiming that the fix will not correct the largest vulnerabilities in the system.
St. Jude said the update included additional validation and verification between the Merlin@home devices and Merlin.net, and that it collaborated with the FDA to implement the changes. The company also said it has additional updates planned for 2017.