Medical device manufacturers are now facing a new challenge: managing the cybersecurity of their products.

On January 9, the FDA issued a Safety Communication setting out potential risks that could be caused by a cybersecurity vulnerability in certain St. Jude Medical cardiac devices. A growing number of devices – including St. Jude Medical’s implantable cardiac devices and corresponding Merlin@home Transmitter – transmit data directly to physicians to allow direct patient and device monitoring.

These highly connected devices promise to vastly improve patient care. The monitoring features allow constant observation by physicians, which increases patient safety and reduces the number of office visits.

But do these devices also pose potential risks? The FDA stated that there have not been any reports of patient harm related to the vulnerabilities in St. Jude Medical’s devices. Still, the agency warns that such vulnerabilities could allow an unauthorized user to remotely access the device. The device’s programming could then be altered, causing rapid battery depletion or administration of inappropriate pacing or shocks to the heart.

St. Jude Medical’s multi-pronged approach to addressing patients’ safety concerns and mitigating reputational harm appears to have been successful, and it could provide a roadmap for other manufacturers navigating this complex field.

Background

The FDA’s Safety Communication is the latest development in an already complex story. Back in August 2016, the investment researcher Muddy Waters Research, together with cybersecurity research firm MedSec, released a report that claimed to have uncovered vulnerabilities in St. Jude Medical cardiac devices that could allow cyber-attacks. The report claimed – without factual basis – that the devices would likely be pulled from the market and independently called for a product recall. It also advised users to unplug the remote monitoring.

The FDA disagreed with the Muddy Waters report. It concluded instead that the benefits of continued use of monitoring features outweighed any potential vulnerability. But Muddy Waters did not back off. It then released a video of an alleged attack on a St. Jude Medical pacemaker. University of Michigan researchers disputed the video’s validity.

St. Jude Medical quickly fought back. On September 7, 2016, St. Jude Medical sued Muddy Waters and MedSec for defamation. St. Jude Medical claims that Muddy Waters, which held a short position in St. Jude Medical stock, was acting in self-interest and failed to comply with “ethical standard practices in the cybersecurity community and FDA guidance.” The complaint alleged that Muddy Waters sought financial gain “by publicly disseminating false and unsubstantiated information” that frightened and misled patients. St. Jude Medical asserted that “defendants must be held accountable so that such activity will not be incentivized and repeated in the future.”

St. Jude Medical did not stop with the defamation suit. It took additional measures to assure patients that cybersecurity was a priority. In October, St. Jude Medical announced that it had formed a Cybersecurity Medical Advisory Board. Further, when the FDA announced that it had identified cybersecurity vulnerabilities, St. Jude Medical responded the same day with a statement and a software fix that had received the FDA’s stamp of approval.

Takeaways

Cybersecurity in medical devices is a developing field. Standard practices and guidance are still being established, and it was only in December 2016 that the FDA published guidance addressing cybersecurity for medical devices that are already on the market. The FDA guidance calls on manufacturers to monitor devices on the market, assess how vulnerabilities could affect patients, use software patches and the like to mitigate risk before an attack occurs, and work with researchers to understand potential cyber threats.

St. Jude Medical has incorporated these elements into its response to cybersecurity concerns about its products.

In a recent post on the Agency’s blog, the FDA’s Associate Director for Science and Strategic Partnerships indicated that the FDA anticipates that cybersecurity threats will become more sophisticated as technology evolves. The agency intends to update and adjust its post-market cybersecurity guidance as the field evolves.