FDA confirms St. Jude heart monitors can be hacked, Abbott Labs to release patch
"The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks," the Food and Drug Administration said Monday.
The FDA said that there were no reports of patients being harmed recorded. However, Abbott began releasing a patch to fix the issue on the same day. It will automatically update all St. Jude devices as long as they are plugged in and connected to the Merlin.net network.
"Cybersecurity, including device security, is an industry-wide challenge and all implanted devices with remote monitoring have potential vulnerabilities," Candace Steele Flippin, a spokeswoman for Abbott, told CNNMoney. "As we've been doing for years, we will continue to actively address cybersecurity risks and potential vulnerabilities and enhance our systems."
The warning issued by the FDA came after the investment firm Muddy Waters published the initial report detailing how hackers can attack St. Jude medical devices in two different ways: either with a “crash” attack that would cause the devices to malfunction, or a battery drain attack that would cause the devices to die before their time.
“Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks,” Muddy Waters wrote. “There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years.”
Muddy Waters also created a website to host a series of videos that warn patients about the harm that hackers could inflict by broadcasting “potentially lethal commands to implantable devices.”
In an interview with Bloomberg, founder Carson Block said that Muddy Waters was working with MedSec, a company that deals with cybersecurity for medical devices, to assess the cybersecurity issues.
“Our assessment, as well as that of Medsec, is that for a number of years, St. Jude in this realm, has been putting profits before patients,” Block said in the interview.
After the report from Muddy Waters came out in August, stock in St. Jude fell by as much as 10 percent, meaning that Muddy Waters would profit a lot of money.
St. Jude responded by filing a defamation lawsuit against Muddy Waters and MedSec, claiming that they lied to depress the value of the company’s stock and profit from what they call a “short-selling scheme.”
“The sole purpose of this short-selling scheme was to enable Defendants to secure a quick and illegal financial windfall,” they say in the lawsuit.
Muddy Waters claimed that the lawsuit from St. Jude infringed on their First Amendment rights. In a court filing in October, Muddy Waters said that they were seeking to “punish and prevent vital discussions about significant risks to the lives and health of ordinary Americans.”
In their report, Muddy Waters publicly stated that they had been shorting St. Jude before they were sold to Abbott. They said that knowledge of the cyber security issues would cause the $25 billion deal with Abbott Laboratories to fall apart.
When asked about the cybersecurity issues at the company’s third quarter earnings call in 2016, Miles White, the CEO of Abbott Laboratories, explained: "I think St. Jude has handled all this pretty well, pretty thoroughly,” the Chicago Tribune reported.