January 20, 2022

Volume XII, Number 20

Advertisement
Advertisement

January 19, 2022

Subscribe to Latest Legal News and Analysis

January 18, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

St. Jude Cybersecurity Vulnerability Extended to Provider-Owned Devices

Earlier this week, the U.S. Department of Homeland Security (DHS) updated a prior advisory revealing cybersecurity vulnerabilities in St. Jude Medical’s Merlin@home transmitter.

The Merlin@home transmitter is used by patients with St. Jude implantable cardiac devices to wirelessly transmit data from the patient’s cardiac device to the Merlin.net Patient Care Network. The uploaded data can then be monitored by a physician to determine whether the device is functioning properly.  This past January, DHS released an advisory detailing a vulnerability that could allow an unauthorized user to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered transmitter could then be used to modify the implanted device to rapidly deplete its battery and/or administer inappropriate pacing or shocks to the patient. St. Jude quickly made an update available to patch this vulnerability.

The updated advisory extends the vulnerability to Merlin transmitters that are used by providers. These transmitters contain the same hardware and software as the models used by patients in their home, but have an additional functionality called MerlinOnDemand that allows providers to use one transmitter in their office to obtain device data from multiple patients. According to the advisory, the endpoints between the implanted device and the Merlin.net website are not verified. This makes the transmission vulnerable to a “man-in-the-middle” that would allow an attacker to remotely access the device. St. Jude has said that the MerlinOnDemand-enabled devices will receive the same patch that was provided to the home-based models.

The new vulnerability comes on the heels of the U.S. Food and Drug Administration’s release of final guidance on the postmarket management of cybersecurity in medical devices.

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VII, Number 42
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

The health industry is a complex system, and reimbursement is the lifeblood. Reduction in payments from governmental and commercial payors affects providers, suppliers, manufacturers, and all others across the health care continuum.

Regulatory approval and accreditation is the heart of the system. For many, delay in licensure and other regulatory approvals can threaten financing and corporate viability. Accreditation of residency training programs is essential to the vitality of academic medical centers and teaching hospitals.

Restructuring is a fact of life in this dynamic...

202-434-7324
Advertisement
Advertisement
Advertisement