toggle accessibility mode

FDA: Make Medical Device Cybersecurity a Top Priority

By John DiGiacomo


At the end of December, the Food and Drug Administration (FDA) issued new guidance for medical device cybersecurity. The new guidance encourages medical device developers and producers to make cybersecurity of networked medical devices a top priority throughout the product development lifecycle. It did not take long after the issuance of this new guidance for medical device maker St. Jude Medical to develop and deploy a software patch to improve the cybersecurity of some of its remote monitoring systems for various medical devices that it manufactures. Specifically, St. Jude Medical developed patches for implantable pacemakers and defibrillators, according to  

One specific product line St. Jude Medical took action to further improve the security of was Merlin@home wireless devices. These devices communicate remotely with implanted cardiac devices in patients. Some potential vulnerabilities were identified in the Merlin@home network connected devices that could allow a hacker to gain access to the device to change parameters of the implanted device. Concerns about medjacking were raised for the Merlin@home devices, as hacked devices could be controlled by hackers to administer inappropriate pacing (electrical stimulations to the heart).

With any medical device, there is always a risk to the patient, so the important question that is asked by designers, developers, manufacturers, and regulators is “does the benefit from this medical device outweigh the risks associated with the device?” The benefit of having a network connected implantable medical device is that the device can record and transmit important patient information to a physician or electronic medical record of the patient. The risk is that network connected devices are something that could be have by cybercriminals.

The patch developed by St. Jude Medical for the Merlin@home medical devices enhances security by adding an additional validation and verification step when establishing wireless communication between the device and network.  

Could Someone Really Hijack a Medical Device?

Hijacking a medical device is a real and tangible cyber security threat. Although it is possible to do so, no St. Jude Medical device associated with the Merlin@home product line has been hacked and no patients with these implantable devices have been harmed by medjacking. Most cyberattacks are financially motivated, and there is little financial gain in hijacking medical devices, which could explain why there are not many instances of this occurring. Nonetheless, medical device producers need to prepare against the real and looming cybersecurity threat posed by hackers.

Contact a Medical Device Cybersecurity Lawyer

Medical device companies and healthcare systems need to be aware of the cybersecurity threats that are likely to affect them, their business, and their customers. Medjacking is one of the newer types of cybersecurity threats, but as technology and hacking techniques advance, medjacking could become more commonplace. Revision Legal works with companies to help manage cybersecurity issues and the aftermath that follows a cybersecurity breach. Contact the experienced health care data breach lawyers at Revision Legal. Please feel free to reach out to us today. Contact us using the form on this page or call us at 855-473-8474.

Image credit: Congress Check

Put Revision Legal on your side