What you need to know about the forces reshaping our industry.


January 11, 2017

St. Jude patches heart implants after FDA bulletin about software vulnerability

Daily Briefing

Abbott Laboratories released a software patch Monday to help protect its St. Jude Medical heart implants from hackers. According to Abbott, the patch further reduces the already "extremely low" chance of a breach. 

Following report last year, FDA and DHS confirm vulnerabilities

The software update follows a report released last year by two firms claiming that unauthorized users might be able to remotely access the transmitter that controls some St. Jude wireless defibrillators and pacemakers, Modern Healthcare reports.

In a bulletin released Monday, FDA and the Department of Homeland Security (DHS) confirmed that the transmitter—St. Jude's Merlin@home remote-monitoring and control device—was vulnerable to potential cyberattacks. According to the agencies, the device had vulnerabilities that could allow an unauthorized user to remotely access a patient's transmitter and modify programming commands, potentially making a cardiac implant pace at dangerous rates or rapidly deplete its batteries.

According to FDA and DHS, there have been no known attacks on the heart implants.

FDA, DHS say patch addresses vulnerabilities that pose greatest risk to patients

FDA and DHS in the bulletin said the patch makes the devices less vulnerable but does not completely secure them.

FDA spokesperson Angela Stark said the patch addresses the vulnerabilities that pose the greatest risk to patients and blocks hackers from accessing the device. In addition, the bulletin said while "all connected medical devices, including this one, carry certain risks, the FDA has determined that the benefits to patients from continued use of the device outweigh the risks." And DHS noted that only an attacker "with high skill" could successfully hack the devices.

To receive the automatic software update, patients must keep their Merlin@home devices plugged in and connected to the St. Jude's network, the Star Tribune reports.

St. Jude says it will continue to prioritize cybersecurity

St. Jude spokesperson Candace Steele Flippin said the company "has worked with, and continues to work with, the FDA and DHS to update and improve the security of our technology." The latest update, according to a statement from the company, "include[s] security updates that complement the company's existing measures and further reduce the extremely low cybersecurity risks."

Phil Ebeling, VP and chief technology officer at St. Jude, added, "The safety and security of patients is always our primary focus. We'll continue to work with agencies, security researchers, physicians and others in the industry in a coordinated way to develop best practices and standards that further enhance the security of devices across the medical industry."

St. Jude said the company has regularly provided software updates and updated its products to improve safety and security over the past several years. And Leslie Saxon, who chairs St. Jude's Cyber Security Medical Advisory Board, said the incident is a reminder that cybersecurity is playing a larger role in health care. "It's increasingly important to understand how innovation and cybersecurity impact physicians and the patients we treat," she said (Finkle, Reuters, 1/9; Castellucci, Modern Healthcare, 1/9; Larson, CNN, 1/9; Carlson, Minneapolis Star Tribune, 1/10; St. Jude Medical press release, 1/9)

More health care devices are internet-enabled. Learn why that matters for patients.

As more and more devices in the world become increasingly electronic, software-enabled, intelligent, wireless, and connected, it is worth exploring how the Internet of Things—the connectivity and interoperability of increasingly smart objects, such as appliances, sensors, controllers, wearables, and medical devices—can be leveraged in health care and health IT.

Download the brief

Have a Question?


Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.