Posted 11 January 2017
By Michael Mezher
The US Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory on Monday warning of cybersecurity vulnerabilities found in St. Jude Medical's Merlin@home wireless transmitter that could affect the company's line of implantable cardiac devices (ICDs).
The Merlin@home device is used to communicate with a range of St. Jude's ICDs, including its radio frequency-enabled pacemakers, defibrillators and resynchronization devices in order to transmit patients' data to their physicians over the Merlin.net Patient Care Network.
Alongside the disclosure by the two agencies, St. Jude, which was just bought by Abbott Laboratories last week in a $25 billion deal, released a patch addressing what FDA says are the greatest risks to patients posed by the vulnerabilities.
Vulnerabilities and Disclosure
The vulnerabilities were first brought to light in a report from short-seller firm Muddy Waters Research in August based on research carried out by cybersecurity firm MedSec. Notably, Muddy Waters also disclosed that it had taken a short position on St. Jude stock by the time it released its report.
While the vulnerabilities identified by MedSec have been confirmed by FDA and ICS-CERT, the predictions made in Muddy Waters' report that St. Jude's pacemakers, defibrillators and other devices could be recalled or sales halted have not come to pass.
FDA spokesperson Angela Stark told Focus that FDA has been working closely with ICS-CERT to investigate the vulnerabilities disclosed in August.
"The agency's investigation confirmed that St. Jude Medical's Merlin@home Transmitter contains cybersecurity vulnerabilities. Certain vulnerabilities present greater risk of patient harm and the FDA's actions to date have focused on addressing those risks first," Stark said.
According to the agencies, the vulnerabilities pose a high risk to patients if exploited, though both agencies note that there are no known cases of actual attacks against the devices.
In its advisory, ICS-CERT says that a hacker with "high skill" would be able to gain control of devices connected to the Merlin@home system through a "man-in-the-middle" attack. Based on its assessment, ICS-CERT says the vulnerability has been rated an 8.9 (high risk) out of 10 on the common vulnerability scoring system version 3.0 (CVSS V3), whereas a score of 9.0 or higher would constitute a "critical" vulnerability.
However, not all the vulnerabilities have been addressed. In separate blog posts on MedSec's website, MedSec CEO Justine Bone and Hemal Nayak, assistant professor of medicine and electrophysiology specialist at the University of Chicago claim that some of the remaining vulnerabilities are serious, and could allow an attacker to issue unauthorized commands to a Merlin@home enabled device.
Despite these claims, Stark noted that St. Jude's efforts to address the remaining vulnerabilities have been "consistent" with FDA's recently finalized guidance on postmarket medical device cybersecurity. And in its safety communication FDA says the patch issued Monday reduces the risk of attack and that the "health benefits to patients from continued use of the device outweigh the cybersecurity risks."
As such, FDA says that patients should continue using their Merlin@home transmitters to ensure their device receives patches pushed to it from the manufacturer.
Going forward, FDA says it will continue to review the cybersecurity of St. Jude devices, and says it will notify the public if its recommendations toward the devices change.
St. Jude Medical
FDA Safety Communication