Home > Legal Library > Article




St. Jude Cybersecurity Vulnerability Extended to Provider-Owned Devices




by:
Jordan T. Cohen
Mintz Levin Cohn Ferris Glovsky Popeo P.C. - Boston Office

 
March 17, 2017

Previously published on February 9, 2017

Earlier this week, the U.S. Department of Homeland Security (DHS) updated a prior advisory revealing cybersecurity vulnerabilities in St. Jude Medical’s Merlin@home transmitter.

The Merlin@home transmitter is used by patients with St. Jude implantable cardiac devices to wirelessly transmit data from the patient’s cardiac device to the Merlin.net Patient Care Network. The uploaded data can then be monitored by a physician to determine whether the device is functioning properly. This past January, DHS released an advisory detailing a vulnerability that could allow an unauthorized user to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered transmitter could then be used to modify the implanted device to rapidly deplete its battery and/or administer inappropriate pacing or shocks to the patient. St. Jude quickly made an update available to patch this vulnerability.

The updated advisory extends the vulnerability to Merlin transmitters that are used by providers. These transmitters contain the same hardware and software as the models used by patients in their home, but have an additional functionality called MerlinOnDemand that allows providers to use one transmitter in their office to obtain device data from multiple patients. According to the advisory, the endpoints between the implanted device and the Merlin.net website are not verified. This makes the transmission vulnerable to a “man-in-the-middle” that would allow an attacker to remotely access the device. St. Jude has said that the MerlinOnDemand-enabled devices will receive the same patch that was provided to the home-based models.

The new vulnerability comes on the heels of the U.S. Food and Drug Administration’s release of final guidance on the postmarket management of cybersecurity in medical devices.


 

The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.
 

View More Library Documents By...

 
Author
 
Jordan T. Cohen
Practice Area
 
Health Care
 
Mintz Levin Cohn Ferris Glovsky Popeo P.C. Overview