This week, the Food and Drug Administration (FDA) confirmed that pacemakers and implantable defibrillators (ICDs) manufactured by St Jude Medical are vulnerable to cyber hacking. This completes months of cooperative investigation and evaluation by the company and the FDA. An announcement was made on January 9, 2017 that Abbott—who recently acquired SJM in a deal reported to be worth 25 billion dollars—has provided a software patch as a “fix”. To date, the FDA has confirmed that no patients have been harmed by the vulnerabilities.
What Exactly IS the Security Issue?
Most implantable cardiac devices such as pacemakers and defibrillators (regardless of manufacturer) are now able to connect to home monitoring systems wirelessly so that physicians can monitor the devices remotely. These remote monitoring systems are essential in the long-term management of device patients. This technology allows healthcare providers to respond quickly to any device alerts, malfunctions or changes in a patient’s clinical status. All of these networks contain embedded computer systems that are connected to the internet and this makes them vulnerable to malicious cyber attacks and these vulnerabilities have been discussed since before 2013. All major manufacturers have these home transmitters and each differs in the exact frequency with which the transmitter communicates with the device. Previous research has shown that medical devices are vulnerable to hackers who were able to assume control of the device in a laboratory setting. In the case of the St Jude Medical devices, the FDA released their findings on security vulnerabilities in a safety report dated January 9, 2017. In the report, the FDA states that the agency “has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter.” According to the FDA, the issue at hand is that hackers could potentially access the Merlin@home transmitter and potentially reprogram the device or prematurely deplete the battery putting patients at significant risk. Based on the completed review, SJM (now Abbott) has released a software “patch” that was recently designed to address the vulnerabilites in the Merlin@home system. The patch will be automatically installed wirelessly over the internet in all home monitoring systems this week. The FDA will continue to monitor cyber security issues and advises both patients and physicians to continue to conduct home monitoring as per routine.
How and When Did This Come About? Follow the Money….
This story began in August 2016, when Muddy Waters Capital, a privately owned investment research firm, first suggested that these vulnerabilities existed and advised that they would be short selling the SJM stock. Muddy Waters, in turn, first learned about the cyber security issues concerning SJM devices from MedSec, an independent cyber security company. At the time, Med Sec claimed that their research suggested that St. Jude Medical was “by far the least secure” of the four largest implantable cardiac device makers in the United States. SJM responded by saying that the claims were “absolutely untrue” and that the Muddy Waters investigation was based entirely on “financial gain”.
In September public record indicated that SJM sued Muddy Waters—calling the short seller’s claims “irresponsible” in a press release—and ardently defended the safety and security of their devices. The FDA acted immediately by beginning a joint investigation of the SJM device vulnerabilities in cooperation with the Department of Homeland Security. During the last year, SJM had been in the process of negotiating an acquisition deal with Abbott laboratories—the deal closed January 4, 2017. Five days later, the FDA safety report was released.
Internet Connected Medical Devices Are At Risk: Guidance From The FDA
In December of 2016, (before the current SJM findings were released) the FDA published guidelines regarding cyber security issues and medical devices. As medicine becomes more digitally connected with patient devices being accessed via smartphones, tablets, doctor’s offices and hospital systems, security vulnerabilities are becoming more of a concern. In the document the FDA makes it clear that all medical devices are at risk and that more must be done in the pre market phase by industry to design more secure portals for data collection and device integration. I addition, more study is needed to identify potential risks and impact to patients. The guidance statement goes on to recommend a much more vigorous post market cyber security surveillance and suggests that all of the findings should be shared with the FDA. I expect that in the future, there will be a great deal more regulation involved for medical devices that are capable of wireless communication across the internet.
What Can We Learn from This? What’s Next?
Our lawmakers and the FDA must do more to regulate the medical device industry. We must do more to PUT PATIENTS FIRST. I am certain that SJM is not the only company with devices that are vulnerable to hacking—we have had reports of other devices—from MRI scanners, IV infusion pumps, personal insulin pumps and other connected devices that either have been compromised or have been identified as high risk. I think it is important for device makers to be proactive and tell us what we need to know now—What are they doing to do NOW to protect patients from cyber attacks? Outside research firms have suggested that most cyber security efforts related to medical devices and healthcare systems are lagging nearly a decade behind current technology. Many devices are still working on operating systems with known vulnerabilities such as Windows 7 and Windows XP.
I agree with the spirit of the FDA guidance statement from last month but I expect MORE. We must pursue post market cyber security issues aggressively. We must make every effort to identify and mitigate risk quickly. I would advocate for more cooperation between companies in cyber security efforts—by combining efforts to create more secure environments for medical devices and information, all parties will profit and ultimately patients and the healthcare system in general will benefit. . As a physician and a patient advocate, I am ready for change. While we must continue to promote free market competition and innovation, we MUST also protect the very people we are intending to serve—the patients who depend on us—and our devices—every single day.