St Jude patching Merlin@home heart kit
Be still my beating heart
Months after steadfastly denying its heart implants have serious security vulnerabilities, St Jude – now owned by Abbott Laboratories – has issued a patch.
The company's press release is here.
Last year, a pentester and an investor pulled a now-notorious double act on St Jude, shorting its stock before publishing the vulnerabilities.
That first received a furious denial from St Jude, which called the claims “false and misleading”. It followed that up by launching legal action against MedSec (the pentester) and Muddy Waters (the investor).
However, the Food and Drug Administration (FDA) took things seriously enough to launch an investigation, and meanwhile in October an independent assessment of St Jude's security confirmed the vulnerabilities.
At the time, there was speculation that the vulnerabilities might spoil Abbott's acquisition of St Jude, but the transaction completed on January 4, and it's under the Abbott name that the fixes are being issued.
The FDA says while there's no evidence that the vulnerabilities have been exploited, they are real: “these vulnerabilities, if exploited, could allow an unauthorized user … to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”
St Jude is now offering a patch for Merlin@home, and the FDA says it's validated the patch and notes that “the health benefits to patients from continued use of the device outweigh the cybersecurity risks”. ®