The Food and Drug Administration (FDA) recently issued a warning letter to St. Jude Medical, alleging that it failed to properly investigate issues with the batteries in its defibrillator implants and for failing to fix the cybersecurity of its in-home monitoring system, known as Merlin@home. The monitoring system is wireless and is connected to St. Jude’s implantable cardiac devices, including pacemakers, defibrillators and resynchronization devices.
St. Jude was accused last year by an investment research firm of having lax cybersecurity measures for its Merlin@home monitoring system. St. Jude says it has investigated the allegations. St. Jude went so far as to file a defamation lawsuit against the firm.
However, the FDA and the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team issued an advisory in January 2017 warning patients about cybersecurity vulnerabilities found in the Merlin@ home wireless transmitter. At that time, the agencies confirmed that if the cybersecurity vulnerabilities were exploited, they could pose a high risk to patients—ranking it 8.9 out of 10.
Regarding the cybersecurity claims in the warning letter recently issued to St. Jude, the FDA alleges that St. Jude failed to show that it made sure that a recent patch to its software would fix the potential vulnerabilities that were previously detected before releasing the product into the market.