After an FDA probe, St. Jude rolls out an update fixing the Merlin@home issue

St. Jude Medical stated on January 9 that it has begun deploying security updates to its Merlin.net Patient Care Network system. Reports surfaced in late 2016 that the Merlin@home transmitter used to monitor specific St. Jude Medical implanted devices could be hacked and potentially used to kill the patient. The implants in question span pacemakers (Assurity and Endurity) and Implantable Cardioverter Defibrillators (Ellipse and Fortify Assura).

Reports of the vulnerability prompted an investigation by the U.S. Food and Drug Administration, and a new warning about the potential hazards until the problem is resolved by St. Jude Medical. However, while the implants are radio frequency-enabled, they don’t connect directly to the internet through Wi-Fi.

Instead, they can be accessed through the Merlin@home monitor or in-office medical diagnostic equipment. The underlying problem is that the Merlin@home device does connect to the internet.

The FDA, through its investigation, confirmed that a hacker could remotely access the Merlin@home transmitter and alter the device to gain complete control. After that, the hacker could use the transmitter to silently reprogram the patient’s implant, leading to a faster battery depletion, incorrect pacing, or unnecessary shocks, depending on the implant.

“Many medical devices—including St. Jude Medical’s implantable cardiac devices—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits,” the FDA said on Monday. “As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”

St. Jude Medical said that it’s not aware of any cybersecurity incidents related to its devices in the United States. It’s also not aware of any specific St. Jude Medical device or system used in clinics that has been specifically targeted. And while hackers intentionally going after St. Jude Medical devices is highly unlikely, the company is making its current update public knowledge so that patients can rest assured their implants are safe from any outside modifications.

“We’ve partnered with agencies such as the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit, and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.

Patients relying on the Merlin@home service need to make sure the transmitter is plugged in and powered on, and that it’s connected to a land line or cellular service to receive the update. According to St. Jude Medical, the update includes additional “validation and verification” features for the communication between the Merlin@home transmitter and the Merlin.net online service. Additional updates will be distributed throughout 2017.

“The FDA has reviewed St. Jude Medical’s software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm,” the FDA added. “The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.”

The Merlin@home transmitter is used to collect information from the patient’s implant, and to send the data to caregivers through the online Merlin.net network. In turn, physicians can keep track of the device and make necessary changes without the need for an office visit.