The FDA confirmed that St. Jude Medical’s implantable cardiac devices are vulnerable to hacking. Once hackers gain access to the device, they could deplete the battery or administer incorrect pacing or shocks, the FDA said on Monday.
The devices — pacemakers and defibrillators — are used in heart patients.
Endgadget reports that St. Jude has developed a software patch to fix the vulnerabilities, and that as of Monday, the patch has been automatically applied to affected devices. To receive the patch, the Merlin@home Transmitter should be plugged in and connected to the Merlin.net network.
Patients can continue to use the devices, the FDA said, adding that no patients were harmed as a result of the vulnerabilities.
Abbott Laboratories has acquired St. Jude for $25 billion, saying it has worked with the FDA and DHS to update and improve the security of the affected devices.
“Cybersecurity, including device security, is an industry-wide challenge and all implanted devices with remote monitoring have potential vulnerabilities,” Candace Steele Flippin, a spokeswoman for Abbott, told CNNMoney in an e-mail. “As we’ve been doing for years, we will continue to actively address cybersecurity risks and potential vulnerabilities and enhance our systems.”
In August 2016, Muddy Waters founder Carson Block published a report claiming St. Jude’s devices could be hacked. St. Jude said the claims were “absolutely untrue,” and in September, it filed a lawsuit against Muddy Waters.
Block, on Monday said the FDA’s announcement “vindicates” his firm’s research.
“It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities,” Block said. “Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”