Just as if having a peacemaker was not enough, the U.S. Food and Drug Administration and the Department of Homeland Security have warned that St. Jude Medical’s Merlin@home wireless system is vulnerable to hacking.

The pacemaker’s transmitter sends information from St. Jude’s Implantable Cardiac Devices to the Merlin.net Patient Care Network, which allows doctors to monitor a patient’s heart rate and other medical data. The network was recently acquired by Abbott Laboratories for $25 billion, before the incident.

Batteryless cardiac pacemaker
Batteryless cardiac pacemaker. Image credit: Science Daily.

A skilled hacker could have caused a heart attack

The vulnerabilities were first spotted by Muddy Waters Research, who also shorted St. Jude’s market stock to benefit from the decision. The FDA then confirmed the security flaws. Agencies that confirmed the incident assure that the security flaws can become lethal for patients if they are exploited by infiltrators, although there have been no reported cases of an attack.

The Department of Defense’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) classified the risk as an 8.9 in a 1 to 10 scale, 9 being the “critical” stage of vulnerability.

Reportedly, the FDA recognized St. Jude’s measures to curb the vulnerabilities, as they released a patch on Monday to reduce the risk of an attack, making it so patients do not have to change their pacemakers unless a further notice is emitted.

“Patients and patient caregivers only need to make sure their Merlin@home Transmitter remains plugged in and connected to the Merlin.net network to receive the patch. The FDA has reviewed St. Jude Medical’s software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm. The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks,” reported the FDA on January 9, the same day the patch was launched.

Analysts suggest that the guidelines issued to manufacturers by the FDA concerning the update of their digital products are not binding enough, even when the agency has repeatedly asked for such measures.

Nowadays, many medical devices and gadgets employ network and digital features, allowing them to be remotely controlled for ease and comfort, but these devices are also prone to malfunction at some point. In 2015, the FDA issued two safety alerts regarding drug pumps manufactured by Hospira, which is now owned by Pfizer.

In the business side, the malfunction of a medical product always represents catastrophic losses for the company, mainly because products that put the life of people in the line are expected to be safe and free of complications.

Drugs and medical equipment are always hard to invest in, mainly due to studies surfacing all the time that may prove how a particular drug or product happens to be harmful, while another product may turn out to be the only one able to satiate a very specific demand in the market. Hospira, for example, was lucky to have discontinued the manufacturing of the pumps before the FDA issued the notice.

Source: FDA