SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
12 Jan 2017

St. Jude Medical releases security patches for vulnerable cardiac devices

Reports that St. Jude Medical devices contained severe security flaws which led to a complicated legal battle between the healthcare equipment provider and MedSec have been vindicated, with the FDA supporting the security firm's findings and St. Jude finally releasing a patch to fix the flaws.

On Monday, St. Jude Medical announced a set of cybersecurity updates for the Merlin remote monitoring system which is used with implantable pacemakers and defibrillator devices.

Despite denying that security flaws existed in the past, the medical equipment supplier said the updates would "complement the company's existing measures and further reduce the extremely low cyber security risks." "All medical devices using remote monitoring are exposed to the risk of a potential cyber security attack," the company admitted. On the same day, the US Food and Drug Administration (FDA) issued a statement affirming that a variety of St. Jude Medical devices which are radio-frequency (RF)-enabled and use Merlin@home Transmitters are vulnerable to cyberattack.

The transmitters record and receive RF traffic from the embedded medical devices before sending this information to physicians through the Merlin.net Patient Care Network. The US agency has investigated a set of security flaws found within this setup by MedSec and has come to the conclusion that the bugs could allow cyberattackers to remotely access implanted cardiac devices by compromising the transmitter.

Once inside, attackers could modify the programming of these devices, leading to battery depletion, tampering with set heart pacing or shocks. Thankfully, however, there have been no reports of patients being hurt because of these vulnerabilities. "The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm," the agency said.

"The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks." The battle for St. Jude Medical to admit there were security holes which needed to be plugged has been a long one. Cybersecurity firm MedSec and private equity firm Muddy Waters released a paper last August which described how St. Jude Medical pacemakers and defibrillators were vulnerable to attack, but the news did not go down well with either St. Jude or investors.

After the research -- which noted successful attacks could result in patient lives being placed at risk -- went public, St. Jude Medical share prices plummeted. In retaliation, the firm rapidly "set the record straight" by denying the report's claims, launching a court case against the companies and citing research from the University of Michigan which replicated the research and could not find security problems with the devices.

(Despite this, independent security firm Bishop Fox provided testimony saying that the devices "did not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients.")

St. Jude Medical's lawsuit against MedSec and Muddy Waters, which is ongoing, complains that the report is little more than scaremongering and the firms used "false and misleading tactics" to force share price drops in a scheme for financial gain. The short-selling scheme, according to St. Jude Medical, involved Muddy Waters shorting the firm's stock at the time the report was released and estimating that share prices would be affected for "at least" two years. MedSec was hired at the same time as a consultant on a fee basis and cut of investments.

Whether for financial gain or the promotion of patient safety was truly at the heart of the situation, Muddy Waters and MedSec are not best pleased with St. Jude Medical's patch, which is now automatically applied to device transmitters once they are plugged in and turned on.

In a statement, the company said:

"After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters. This long-overdue acknowledgement, just days after completion of St. Jude's sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants."

The FDA said that the agency will continue to assess any new information around the St. Jude Medical device security investigation and alter its recommendations if any game-changing information comes to light.

Tags:
hackers information leaks
Source:
ZDNet
1842
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015