FDA Warns Medical Device May Allow Unauthorized Remote Access

The FDA recently issued a safety communication regarding St Jude Medical’s implantable cardiac devices and the Merlin@home Transmitter due to the potential for cybersecurity vulnerabilities.

Information outlining potential cybersecurity vulnerability associated with the transmitter showed these vulnerabilities may allow an unauthorized user to remotely access a patient’s radio frequency-enabled cardiac device by altering the transmitter, the agency reported in a press release.

An unauthorized user could then change programming commands to the device through the altered transmitter. These changes may cause rapid battery depletion, or the administration of inappropriate pacing or shocks, the FDA warned.

Thus far, there have been no reports of harm resulting from these cybersecurity vulnerabilities.

St Jude Medical has created and validated a new software patch for the Merlin@home Transmitter to reduce the risk of cybersecurity vulnerability, according to the FDA. This patch will be available on January 9, 2017, and will be applied to the transmitter.

Patients and caregivers must ensure their transmitter remains plugged in and connected to the Merlin.net network to receive the patch that will remedy any vulnerabilities.

The FDA reviewed the software patch to make sure it reduces the risk of cybersecurity vulnerabilities and patient harm resulting from exploitation, according to the release. A benefit-risk assessment of the Merlin@home Transmitter suggests that the health benefits from the device exceed any cybersecurity risks.

The FDA plans to continuously evaluate new information regarding the cybersecurity of St Jude Medical’s implantable cardiac devices and the Merlin@home Transmitter, according to the release. The agency will inform the public if there are any changes in the findings.

The FDA also warns that any patient who has a device that is linked to a Wi-Fi or internet network may face cybersecurity risks. However, the use of wireless technology has allowed patients to receive safer, more efficient, convenient, and timely healthcare services.

According to the press release, the FDA will continue to work with manufacturers, security researchers, and government agencies to create novel security solutions. The agency takes any vulnerabilities seriously, and has issued guidelines for manufacturers for monitoring, reporting, and remediation of devices.

At this time, the FDA recommends that healthcare providers continue to conduct normal in-office follow-ups for patients with this implantable device. Patients should also be on the lookout for software patches and updates to ensure their safety.

Patients should seek immediate medical attention if they experience lightheadedness, dizziness, loss of consciousness, chest pain, or shortness of breath, as these can be signs of serious adverse events.

Healthcare professionals are also encouraged to report any adverse events experienced with the Merlin@home Transmitter to the FDA’s MedWatch Safety Information and Adverse Event Reporting Program.