The US Food and Drug Administration (FDA) has issued new advice about how to safeguard implantable cardiac devices against hackers. The FDA has found that a wireless transmitter used to transmit data from cardiac devices to medical providers, the Merlin@home Transmitter made by St. Jude Medical was found to be vulnerable to online hacking.

Whilst no hacking event has been reported, the possibility of tampering was so alarming that St. Jude Medical worked with the FDA and the Department of Homeland Security to develop a software patch, which has just been released, to help protect the device and patients using it from hacking. In an official FDA statement released, many medical devices, including St. Jude Medical’s implantable cardiac devices contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. With the new software patch, the FDA determined that the health benefits to patients from the continued use of the device outweighs the cybersecurity risks present.

What St. Jude Medical is doing about it

Phil Ebeling, Vice President and Chief Technology Officer at St. Jude Medical said in a statement that the safety and security of its patients is always their primary focus and that they will continue to work with agencies, security researchers, physicians and others in the industry in a co-ordinated way to develop best practices and standards that further enhance the security of devices across the medical industry.

The transmitter concerned is placed inside the patient’s home and can be used to monitor a variety of implantable cardiac devices including pacemakers, defibrillators or resynchronization devices and send health data back to the patient or their medical provider. This transmitter also allows doctors to change the patient’s device settings remotely.

“As medical technology advances, it’s increasingly important to understand how innovation and cyber security impact physicians and the patients we treat,” Dr. Leslie Saxon, chair of St. Jude Medical’s Cyber Security Medical Advisory Board, said in a statement. “We are committed to working to proactively address cyber security risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function.”

The FDA advisory comes as concern has been growing about how hacking could affect the medical field. In recent years multiple hospitals have paid ransom after ‘ransomware’ hacking left their medical files encrypted. Thomas Lewis, a practice leader at LBMC Information Security, said that the benefits of being able to monitor implanted medical devices wirelessly has helped patients tremendously. However, it has also increased the risk of devices being able to be hacked. Providers will constantly have to stay ahead of any malicious actors looking for vulnerabilities in their devices. Lewis explains that this can be done by the providers constantly testing their devices for weaknesses.

Patients with the transmitter are advised to continue a normal routine of check-ups with their doctor and to keep their transmitter connected to WiFi so that it can be automatically upgraded with the new software patches. Patients in the US with questions can contact St. Jude Medical’s Merlin@home customer service at 1-877-My-Merlin (1-877-69637546). Patients outside of the US can reach them via e-mail or at +1-651-7562000.