Is your heart hackable?
Some implantable medical devices, such as pacemakers, defibrillators and resynchronization devices, can be hacked for malicious intent. If you have an implanted device made by St. Jude Medical and use the Merlin@home transmitter, this is for you.
In early January 2017, both the Food & Drug Administration and the Department of Homeland Security issued warnings about the implanted devices made by St. Jude Medical.
At the same time, St. Jude introduced a software patch to rectify the problem, while we warned that this patch only fixed one of the most serious vulnerabilities..
In early February 2017, the Department of Homeland Security validated our analysis and issued a second warning about St. Jude medical implants. In this notice, St. Jude Medical (now part of Abbott Laboratories) acknowledged that more models of the company’s implantable medical devices are subject to cyber security threats. This development supports ongoing claims that St. Jude Medical + Abbott have not recognized or addressed all of the devices’ major vulnerabilities, raising questions about best practices for disclosure and patient safety.
We continue to believe that there are cyber security vulnerabilities with St. Jude Medical’s Merlin@home transmitter that, if exploited, could allow an unauthorized user to remotely access a patient’s implanted cardiac device.
Here’s what the FDA said:
"The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks." - FDA, January 9, 2017
The Department of Homeland Security issued the following warning:
"Successful exploitation of this vulnerability may allow a remote attacker to access or influence communications between Merlin.net and transmitter endpoints." - DHS ICS-CERT, January 9, 2017
Do you know if your St. Jude pacemaker is safe?
In our view, the announced fixes do not appear to address the larger problems, including the existence of a universal code that could allow hackers to control the implants.
If you have a St. Jude implantable cardiac device contact your doctor, cardiologist and/or primary care giver to find out if you are at risk.
For more information:
See the FDA's safety communications for St. Jude implantable devices:
http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm535843.htm
Or contact the FDA directly:
Toll Free: (800) 638-2041
Local: (301) 796-7100
Email: [email protected]
See the Department of Homeland Security's ICS-CERT advisory:
https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01
Or contact the DHS - ICS-CERT directly:
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900
Email: [email protected]