St. Jude releases software patch to reduce hacking risk for its implantable heart devices, but is it enough of a fix? Not according to Muddy Waters.

Amanda Pedersen

It's never fun to be on the receiving end of an "I told you so," a position St. Jude Medical is finding itself in this week.

After months of adamantly defending the cybersecurity of its implantable heart devices, the company released a software patch Monday afternoon for its Merlin@home transmitter to reduce the risk that St. Jude's radio frequency (RF)-enabled pacemakers and defibrillators could be hacked into.

The timing of the patch release could raise some eyebrows, as it comes just days after Abbott Laboratories finalized its $25 billion (plus debt assumption) acquisition of St. Jude.

The patch release also gives weight to a report published in late August by short-seller Muddy Waters Capital and cybersecurity firm MedSec that claimed St. Jude's implantable heart devices could be hacked.

St. Jude repeatedly denied the claims and sued both Muddy Waters and MedSec in September for "false and misleading tactics," and to "set the record straight" about the security of its devices.

At the time, some St. Jude investors were concerned that the cybersecurity report could jeopardize the Abbott-St. Jude deal.

Carson Block, founder of Muddy Waters, said St. Jude's statement about the new software patch not only vindicates the research his firm published with MedSec, but also reaffirms his belief that "the company puts profits over patients."

Block said if his firm had not gone public with its findings, St. Jude would not have remediated the vulnerabilities. But that could be a moot point anyway, because Block also said the patch does not appear to address many of the technology's larger cybersecurity problems, such as the existence of a universal code that could allow hackers to control the implants.

St. Jude seems to have FDA convinced, though. The agency said it reviewed the software patch to "ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm."

Without the patch, FDA said in a safety alert, someone could potentially hack into a patient's Merlin@home transmitter. Once in, FDA said, the attacker could mess with programming commands sent from the transmitter to the implanted device to either rapidly drain its battery or to make it deliver inappropriate pacing or shocks.

St. Jude said it made seven software updates in three years to the Merlin@home transmitter alone, and the company also plans to release additional updates this year.

There have not yet been any reports of patient harm related to these cybersecurity vulnerabilities though, FDA said, and the health benefits of using the device outweigh the risks.

The agency also noted in its alert that any medical device connected to a communications network, such as the Internet, may have cybersecurity vulnerabilities. On the flip side, FDA said the increased use of wireless technology and software in medical devices can also offer safer, more efficient, convenient, and timely health care delivery.

St. Jude is certainly not alone in the cybersecurity battle. In October Johnson & Johnson's diabetes unit warned patients that its Animas Onetouch Ping insulin pumps may be vulnerable to cyberattack, but the probability of one of the devices actually being hacked is "extremely low."

"There has been a great deal of attention on medical device security and it's critical that the entire industry continually enhances and improves security while bringing advanced care to patients," said Ann Barron DiCamillo, a cybersecurity expert advisor to St. Jude.

Amanda Pedersen is Qmed's news editor. Reach her at [email protected]

[Image credit: Pixabay]