PAUL, Minn.–(BUSINESS WIRE)– St. Jude Medical, Inc. (NYSE:STJ), a global medical device company, today issued the following statement: We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.
Remote monitoring is a safe and effective means for patients to communicate with their physician. It has been well documented in leading publications that remote monitoring saves lives. At St. Jude Medical, we work with third-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for our data and devices as part of our product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts. In addition, we collaborate with industry and governmental organizations to gain insight on recent trends and take appropriate action.
Our system provides an automated remote upgrade process for all [email protected] units that are in active use so that security enhancements are automatically deployed when they become available. [email protected] units that are not in active use and connected to the internet will also be upgraded when they return to use if a new update is available. Our analysis concluded that the majority of the observations in the report apply to older versions of the [email protected] devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes. We want to reassure our patients that our systems meet the highest international security requirements, as required by regulatory authorities and international standards organizations.
Claims of remote battery depletion are misleading
The report claimed that the battery could be depleted at a 50-foot range. This is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.
The flawed test methodology on outdated software demonstrates fundamental lack of understanding of medical device technology
The report claimed that the system could be impaired, similar to when a computer system “crashes.” The report has little detail on this simulation and includes many inconsistencies. In fact, the screenshot of the Merlin programmer in the Muddy Water report shows a device that is functioning normally. The red items on the screen are highlighting the fact that there are no leads connected to the device. The device is pacing properly, at the programmed 40bpm. The screenshot shows expected behavior from the SecureSense algorithm when device is pacing without any connected leads.
St. Jude Medical will remain ever vigilant and dedicated to patient safety
Our software has been evaluated and assessed by several independent organizations and researchers including Deloitte and Optiv. In addition, Merlin.net was Safe Harbor certified by St. Jude Internal Audit in 2013 and annually since then. This includes an annual audit of key security controls within the Merlin.net environment and Merlin.net has received ISO 27001 certification since 2009. This includes an internal audit of security controls and an independent certification by a third party, BSI. In 2015, we successfully completed an upgrade to the ISO 27001:2013 certification.
Muddy Waters also makes numerous unsubstantiated statements that are speculative with no evidence shown to prove the claims such as an ability to impersonate any SJM device, reverse engineering to create a pocket-size programmer, and a large-scale attack through the Merlin network. However, we are not aware of such threats and will remain vigilant to the ever-increasing sophistication of those seeking access to devices/data and address any issues based on additional detail provided.
We recognize the importance of providing physicians with up-to-date and accurate information in a timely and responsible manner so that they can make informed patient care decisions. Our analysis reinforces the need for researchers and manufactures to work together to discuss and resolve potential issues together to avoid unnecessarily alarming patients.
St. Jude Medical is a strong supporter of responsible disclosure and proactively works with industry groups like NH-ISAC and ICS-CERT
We encourage anyone with product security questions to contact us at [email protected]. We ask anyone with an a potential cybersecurity vulnerability in a St. Jude Medical product to contact us at [email protected] for further inspection and analysis to best ensure we are able to validate and communicate information in the interest of patient safety.
Patient safety has always been our top priority and we have every reason to believe our devices are safe. Because we recognize cybersecurity is a concern for patients, it is also a priority for St. Jude Medical. We have a dedicated resource on sjm.com reinforcing our commitment to product and information security on our website.
About the Impact of the St. Jude Medical Remote Monitoring Portfolio
The St. Jude Medical Merlin.net Patient Care Network (PCN) is an award winning Radio frequency (RF) remote monitoring system designed to improve outcomes for patients with pacemakers, implantable cardioverter defibrillators (ICDs) and cardiac resynchronization defibrillators (CRT-Ds). With rapid access to their patient’s information through the secure Merlin.net PCN website, physicians can remotely monitor and assess patient device data and determine interventions needed. Recent research has shown that remote monitoring can improve patient survival while reducing hospitalizations and health care utilization.
In 2008, St. Jude Medical improved upon the exceptional security of the Merlin.net PCN by introducing the [email protected] transmitter, which allows efficient remote care management and additional options for physicians to provide early intervention and improve health care efficiency. The data transferred by [email protected] are fully encrypted and meet or exceed all applicable national data privacy and security requirements in all countries where the Merlin.net PCN is used. In addition, the Merlin.net PCN was the first cardiac device monitoring system to be awarded ISO/IEC 27001:2005 certification, a stringent worldwide information security standard, and our certification is audited, updated and current.
Remote monitoring of cardiac patients has become a best-practice over the past decade. In 2016, the Heart Rhythm Society has made remote monitoring the standard of care in its recent guidelines. St. Jude Medical has pioneered this life-saving capability with our RF Merlin.net Patient Care Network (PCN) and the [email protected] patient system. Dozens of studies continue to