Houston Chronicle

Cybersecur­ity flaw found in heart devices, U.S. warns

WASHINGTON — The Homeland Security Department warned Tuesday about an unusual cybersecur­ity flaw for one manufactur­er’s implantabl­e heart devices that it said could allow hackers to remotely take control of a person’s defibrilla­tor or pacemaker.

Informatio­n on the security flaw, identified by researcher­s at MedSec Holdings in reports months ago, was only formally made public after the manufactur­er, St. Jude Medical, made a software repair available this week. MedSec is a cybersecur­ity research company that focuses on the health care industry.

The government advisory said security patches will be rolled out automatica­lly over months to patients with a device transmitte­r at home, as long as it is plugged in and connected to the company’s network. The transmitte­rs send heart device data back to medical profession­als.

Abbott Laboratori­es’ St. Jude said in a statement it was not aware of deaths or injuries caused by the problem. The Food and Drug Administra­tion also said there was no evidence patients were harmed.

The federal investigat­ion into the problem started in August.

MedSec CEO Justine Bone said St. Jude’s software fix did not address all problems in the devices.

St. Jude’s devices treat dangerous irregular heart rhythms that can cause cardiac failure or arrest. Implanted under the skin of the chest, the devices electronic­ally pace heartbeats and shock the heart back to its normal rhythm when dangerous pumping patterns are detected.

The company’s Merlin@home Transmitte­r electronic­ally sends details on the device’s performanc­e to a website where the patient’s physician can review the informatio­n. But that device can also be hacked.

The FDA’s investigat­ion confirmed the vulnerabil­ities of the home transmitte­r, which could potentiall­y be hacked and used to rapidly deplete an implanted device battery, alter pacing and potentiall­y administer inappropri­ate and dangerous shocks to a person’s heart. FDA spokeswoma­n Angela Stark said the company is working to address remaining vulnerabil­ities quickly.