The concerns stem from a possible risk for the cardiac devices being remotedy accessed by an unauthorized user that is someone other than a physician. If the Merlin@home Transmitter is accessed, it could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks, according to the FDA statement.
The FDA statement notes that St. Jude Medical has developed and validated a software patch for the Merlin@home Transmitter that addresses and reduces the risk of specific cybersecurity vulnerabilities. The patch, which will be available beginning January 9, 2017, will be applied automatically to the Merlin@home Transmitter.
Patients and patient caregivers only need to make sure their Merlin@home Transmitter remains plugged in and connected to the Merlin.net network to receive the patch. Additionally, the agency stated that The St. Jude Medical's implantable cardiac devices contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits.
As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates: any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users.