Implantable cardiac devices and Merlin transmitter - Cybersecurity vulnerabilities have been reported

Access to the full content of this site is available only to registered healthcare professionals. Register to read more

ISSUE: The FDA is providing information and recommendations regarding St. Jude Medical's radio frequency (RF)-enabled implantable cardiac devices and Merlin@home Transmitter to reduce the risk of patient harm due to cybersecurity vulnerabilities. The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks. 

There have been no reports of patient harm related to these cybersecurity vulnerabilities.

To improve patient safety, St. Jude Medical has developed and validated a software patch for the Merlin@home Transmitter that addresses and reduces the risk of specific cybersecurity vulnerabilities. The patch, which will be available beginning January 9, 2017, will be applied automatically to the Merlin@home Transmitter. Patients and patient caregivers only need to make sure their Merlin@home Transmitter remains plugged in and connected to the Merlin.net network to receive the patch. The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm. The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.

The FDA will continue to assess new information concerning the cybersecurity of St. Jude Medical's implantable cardiac devices and the Merlin@home Transmitter, and will keep the public informed if the FDA's recommendations change. The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery. The FDA will continue its work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.
 
BACKGROUND: Many...

Recommended for you

  • MedWatch Drug Updates
  • no comment

FDA safety alert: Increased risk of heart-related death with febuxostat (Uloric)

  • MedWatch Drug Updates
  • 1 comment

Recall of Nexterone (amiodarone HCl) 150 mg/100 mL premixed injection by Baxter- Presence of particulate matter

  • MedWatch Drug Updates
  • 1 comment

FDA warns against use of injectable silicone for body contouring and enhancement

  • MedWatch Drug Updates
  • 1 comment

FDA safety alert for compounded glutamine, arginine, and carnitine product for injection by United Pharmacy

  • MedWatch Drug Updates
  • 1 comment

Recall of DBA pain relief naturally products by Ridge Properties: Violation of GMP

  • MedWatch Drug Updates
  • 1 comment

Voluntary field action for Infant/Child Reduced Energy Defibrillation Electrodes by Cardinal Health

  • MedWatch Drug Updates
  • 1 comment

Recall of Midazolam injection, USP, 2 mg/2 mL by Fresenius Kabi: contains different drug

  • MedWatch Drug Updates
  • 1 comment

FDA update: Risk of major adverse cardiac events with the use of Absorb GT1 Bioresorbable Vascular Scaffold

  • MedWatch Drug Updates
  • 1 comment

FDA update: Type III endoleaks associated with the use of endovascular graft systems

  • MedWatch Drug Updates
  • 1 comment

Class I Recall of Bridge Occlusion Balloon Catheter Model 590-001 by Spectranetics: Blocked guidewire lumen

  • MedWatch Drug Updates
  • 1 comment

FDA update: High risk of mortality and neurological adverse events when using SynCardia's TAH-t C2 Driver System

  • FDA Drug Updates
  • no comment

FDA approved Aliqopa (copanlisib) for the treatment of relapsed follicular lymphoma

  • FDA Drug Updates
  • 1 comment

FDA approved Mvasi (bevacizumab-awwb) for the treatment of cancer

  • MedWatch Drug Updates
  • 1 comment

Voluntary market withdrawal of Octagam 10% immune globulin IV (human) liquid preparation by Octapharma

  • MedWatch Drug Updates
  • no comment

Recall of injectable products by SCA Pharmaceuticals: Products may contain microbial contamination

  • MedWatch Drug Updates
  • 1 comment

Class I Recall of Intra-Aortic Balloon Pump by Datascope/MAQUET- False blood detection alarm and ingress of fluid into the pump

  • MedWatch Drug Updates
  • 1 comment

FDA recommends separate dosing for Kayexalate (sodium polystyrene sulfonate) from all other oral drugs

  • MedWatch Drug Updates
  • 1 comment

FDA statement on risks of unapproved use of Keytruda (pembrolizumab) for treatment of multiple myeloma

  • MedWatch Drug Updates
  • 1 comment

Recall of Piyanping Anti-Itch Lotion by Lucky Mart Inc.: Contain wrong active pharmaceutical ingredient

  • FDA Drug Updates
  • 1 comment

FDA approves Besponsa (inotuzumab ozogamicin) for acute lymphoblastic leukemia

  • FDA Drug Updates
  • 1 comment

New targeted treatment approved for relapsed or refractory acute myeloid leukemia

  • MedWatch Drug Updates
  • 1 comment

Recall of Intralipid 20 % IV Fat Emulsion by Baxter: One lot of product exposed to subfreezing temperature

  • MedWatch Drug Updates
  • 1 comment

Class I recall of Penumbra 3D Revascularization device by Penumbra: delivery wire may break or separate during use

  • MedWatch Drug Updates
  • 1 comment

Case of HORV reported after intraocular Inj of a compounded triamcinolone, moxifloxacin, vancomycin

  • FDA Drug Updates
  • 1 comment

FDA approved Vosevi (sofosbuvir/velpatasvir/voxilaprevir) for Hepatitis C

  • MedWatch Drug Updates
  • 1 comment

FDA alert- Not to use infant sleep positioners as it can cause suffocation

  • FDA Drug Updates
  • 1 comment

FDA approved Nerlynx (neratinib) for breast cancer

  • FDA Drug Updates
  • 1 comment

FDA approved Endari (L-glutamine) for sickle cell disease

  • MedWatch Drug Updates
  • 1 comment

Recall of Novopen Echo Insulin Delivery Device by Novo Nordisk: Chemical exposure may damage cartridge holder

  • MedWatch Drug Updates
  • 1 comment

Recall of Atar Extension Cables by Oscor- cable malfunction interrupting the pacing system