FDA Issues Cybersecurity Alert for St. Jude Medical ICDs
St. Jude Medical implantable cardiac devices and the Merlin@home Transmitter may be vulnerable to cybersecurity attacks.
The US Food and Drug Administration (FDA) has issued recommendations regarding radio frequency (RF)-enabled implantable cardiac devices (ICD) and the Merlin@home Transmitter™ to reduce the risk of patient harm from potential cybersecurity vulnerabilities.
An unauthorized user could remotely access a patient's RF-enabled ICD by “altering” the Merlin@home Transmitter, which could then be used to modify programming commands to the ICD. Rapid battery depletion and/or inappropriate pacing or shocks could occur as a result.
St. Jude Medical, Inc. has developed a software patch for the Merlin@home Transmitter, which the FDA has reviewed. To receive the patch, the transmitter simply needs to remain plugged in and connected to the Merlin.net network.
After conducting an assessment of the Merlin@home Transmitter, the FDA has determined that the health benefits to patients outweigh the possible cybersecurity risks.
Patients who have symptoms of lightheadness, dizziness, loss of consciousness, chest pain, or severe shortness of breath are advised to seek immediate medical attention.
Implantable cardiac devices and Merlin@home transmitter by St. Jude Medical: FDA safety communication – cybersecurity vulnerabilities identified [news release]: Silver Spring, MD. US Food and Drug Administration; January 9, 2017. www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts
/ucm535979.htm. Accessed January 11, 2017.