FDA warns that St. Jude’s heart devices could be hacked
The FDA regulator has publicly announced that there are safety issues with certain of St. Jude’s medical devices, including cardiac devices, which mean they are vulnerable to hacking. Abbott Laboratories have recently completed a deal to take over St. Jude Medical and announced that they would be issuing an immediate patch to reduce the chance of the devices being hacked.
The FDA announcement comes five months after cyber security issues were first brought to light by Muddy Waters, a short-selling firm, and cyber security firm MedSec Holdings. Muddy Waters used Twitter to link to research describing the faults in the cyber security of the devices.
The vulnerabilities in cardiac devices would allow a hacker to gain command of the device remotely, allowing them to severely disrupt the function. The hacker would potentially be able to drain the battery of the device, leading to severe complications for the user of the device.
The FDA were keen to stress that there have been no patients using the devices harmed as a result of hackers exploiting weaknesses in the software. Abbott released a patch for devices alongside the announcement from the FDA; despite becoming officially part of Abbott, the announcement of the patch was released under St. Jude Medical moniker.
“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cyber security expert Ann Barron DiCamillo, advisor to St. Jude Medical’s Cyber Security Medical Advisory Board. “Today’s announcement is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate.”
The slightly defensive tone of the statement is indicative of the tension between the release of the news by Muddy Waters upon the security flaws and St. Jude, with the latter having announced a defamation lawsuit against the former for the release. Muddy Waters had been clear that it had adopted a short position against St. Jude, under the presumption that the news of any security flaws might disrupt the potential, at the time, acquisition of St. Jude by Abbott. Despite the deal still going through, the lawsuit against Muddy Waters has not been dropped.
The potential for electronic devices to be hacked has begun to draw serious concern, with previous news in late 2016 of weaknesses in Johnson & Johnson’s insulin pumps also revealed. It goes someway to justifying Muddy Water’s and Medsec’s claims that their work and the release of information is in the public good, forcing through software updates of older devices to protect the public.
Abbott and Bigfoot Biomedical have announced a definitive agreement for Abbott to acquire Bigfoot, however …
Abbott has announced that the US Food and Drug Administration (FDA) has granted its clearance …