Dive Brief:
- A third party cybersecurity firm identified more vulnerabilities in St. Jude Medical ’s [email protected] transmitter, prompting the device maker to deploy a new software patch to mitigate the risk that a middle-man could hack into the device.
- The ICS-CERT advisory involving the [email protected] RF and inductive models states, “the endpoints for the communication channel between the transmitter and St. Jude Medical’s web site, Merlin.net, are not verified,” allowing a remote attacker to access or influence communications between the doctor and patient.
- Updates to the transmitter software will be automatically installed over the next few months, the advisory says, adding patients should leave transmitters connected to the internet to receive updates.
Dive Insight:
The update follows one in early January involving [email protected] RF transmitters, which affects all versions prior to Version 8.2.2, including RF models EX1150 and inductive models EX1100 with and without MerlinOnDemand capability.
St. Jude has been in the cross hairs since last summer when short-seller Muddy Waters and security firm MedSec issued a report claiming the company’s cardiac devices were ready targets for cyberattack, putting patients’ lives at risk. The FDA launched an investigation into vulnerabilities with St. Jude devices shortly thereafter, but emphasized that no authorized breaches had been identified and that benefits to patients outweighed the risks.
In September, St. Jude filed a defamation lawsuit against Muddy Waters and MedSec. The case is ongoing.
To deal with concerns about the safety of its devices, St. Jude announced in October that it was creating a medical advisory board to focus on cybersecurity of connected medical devices. The panel will seek feedback from leading physicians on patient management issues related to St. Jude devices.
