Congressman Elijah Cummings dies at 68
4 killed in Southampton County crash

FDA confirms that St. Jude’s cardiac devices can be hacked

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

SAN FRANCISCO — It’s official: Hearts can be hacked.

The FDA confirmed that St. Jude Medical’s implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks, the FDA said on Monday.

The devices, like pacemakers and defibrillators, are used to monitor and control patients’ heart functions and prevent heart attacks.

St. Jude has developed a software patch to fix the vulnerabilities, and it will automatically be applied to affected devices beginning Monday. To receive the patch, the Merlin@home Transmitter must be plugged in and connected to the network.

The FDA said patients can continue to use the devices, and no patients were harmed as a result of the vulnerabilities.

Abbott Laboratories, which recently acquired St. Jude in a deal worth $25 billion, said it has worked with the FDA and DHS to update and improve the security of the affected devices.

“Cybersecurity, including device security, is an industry-wide challenge and all implanted devices with remote monitoring have potential vulnerabilities,” Candace Steele Flippin, a spokeswoman for Abbott, told CNNMoney in an email. “As we’ve been doing for years, we will continue to actively address cybersecurity risks and potential vulnerabilities and enhance our systems.”

The vulnerability occurred in the transmitter that reads the device’s data and remotely shares it with physicians. The FDA said hackers could control a device by accessing its transmitter.

In August 2016, Muddy Waters founder Carson Block published a report claiming St. Jude’s devices could be hacked and said he was shorting the stock. St. Jude said the claims were “absolutely untrue,” and in September, it filed a lawsuit against the firm.

Muddy Waters declined to comment on the FDA report.

The confirmation of St. Jude’s vulnerabilities is the latest reminder of how internet-connected devices can put health at risk. In December, the FDA published guidance for manufacturers on how to proactively address cybersecurity risks.

Notice: you are using an outdated browser. Microsoft does not recommend using IE as your default browser. Some features on this website, like video and images, might not work properly. For the best experience, please upgrade your browser.