After reviewing information, the FDA announced on Jan. 9 that St. Jude Medical’s radio frequency (RF)-enabled implantable cardiac devices and the company’s Merlin@home transmitter could be subject to cybersecurity vulnerabilities.
The FDA noted that the agency had no received reports of patient harm related to the cybersecurity vulnerabilities. However, they said if the vulnerabilities were exploited, unauthorized users could remotely access a patient’s RF-enabled implantable cardiac device by altering the Merlin@home transmitter. Unauthorized users could then modify programming commands to the implanted device, leading to potential battery depletion and/or patients receiving inappropriate pacing or shocks.
Although the FDA will continue to monitor the cybersecurity of St. Jude Medical’s implantable cardiac devices and the Merlin@home transmitter, the agency said patients could still use the transmitter.
“The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks,” the FDA said in a news release.
St. Jude Medical said in a news release on Jan. 9 that the company released the latest cybersecurity updates for the Merlin@home transmitter. The company said it had collaborated with the FDA and other regulators and planned on implementing more updates later this year.
“All medical devices using remote monitoring are exposed to the risk of a potential cyber security attack,” St. Jude Medical said in a news release. “St. Jude Medical is not aware of any cyber security incidents related to a St. Jude Medical device, nor is it aware that any specific St. Jude Medical device or system in clinical use has been purposely targeted.”
The FDA’s announcement and St. Jude Medical’s actions took place after Muddy Waters, a research firm, released a report in August saying St. Jude Medical’s pacemakers and defibrillators could be subject to potential hacking.
Shortly after the allegations were made public, St. Jude Medical filed a lawsuit against Muddy Waters and other parties. However, St. Jude Medical announced in October that a small number of its implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy ICDs.
Earlier this month, Abbott completed its acquisition of St. Jude Medical.