Pacemakers Can Be Hacked, Manufacturer Confirms

Today the US Food and Drug Administration (FDA) and St.Jude’s Medical issued a patch to the software of its Merlin@home Transmitter. The announcement confirmed that in this case, fact could be was stranger than fiction—or at least equally nefarious.

“The FDA has reviewed information concerning potential cyber security vulnerabilities associated with St. Jude Medical’s Merline@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician to remotely access a patient’s RF-enabled implanted cardiac device,” the FDA wrote in an advisory today.

In the words of the FDA, such cyber-intrusion “could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.” The announcement made it clear that this has never happened, as far as the company and the FDA know.

The patch is being automatically sent to the device system today, the FDA said. The agency said many medical devices contain configurable embedded computer systems that can be vulnerable to intrusion.

“As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cyber security vulnerabilities, some of which could affect how a medical device operates,” the FDA said.

Physicians are advised as follows:

• Continue to conduct in-office follow-up, per normal routine, with patients who have an implantable cardiac device that is monitored using the Merlin@home Transmitter.
• Remind patients to keep their Merlin@home Transmitter connected as this will ensure that patients' devices receive the necessary patches and updates.
• Contact St. Jude Medical's Merlin@home customer service at 1-877-My-Merlin, or visit www.sjm.com/Merlin disclaimer icon for answers to questions and additional information regarding St. Jude Medical's implantable cardiac devices, or the Merlin@home Transmitter.

The FDA offers the following advice for patients:

• Follow the labeling instructions provided with your Merlin@home Transmitter. Keeping your monitor connected as directed will ensure your monitor receives necessary updates and patches. Keep in mind that although all connected medical devices, including this one, carry certain risks, the FDA has determined that the benefits to patients from continued use of the device outweigh the risks.
• Consult with your physician(s) for routine care and follow-up. Your ongoing medical management should be individualized based on your medical history and clinical condition.

The FDA also directs consumers to St. Jude's Medical's website and service hotline, advising patients to "seek immediate medical attention if you have symptoms of lightheadedness, dizziness, loss of consciousness, chest pain, or severe shortness of breath."

The alert from the FDA is on its MedWatch site.