The U.S. Food and Drug Administration on Wednesday sent Abbott Laboratories a warning letter citing that it had inadequately addressed the security of the maligned Merlin@home Transmitter.
The letter promises regulatory action against the healthcare company should vulnerabilities in the device continue to be unaddressed; those actions could include fines, injunctions and other penalties.
The Merlin@home Transmitter is a radio frequency transmitter designed by St. Jude Medical—which was acquired by Abbott in January—for at-home monitoring of patients with implanted defibrillators.
Vulnerabilities in the Merlin device and in others sold by St. Jude Medical, were at the center of a report published last August by hedge fund Muddy Waters and medical device security research company MedSec Holdings. The disclosure was compounded by a short position Muddy Waters held on St. Jude Medical stock that allowed it and MedSec to profit should St. Jude stock drop in value. Muddy Waters said at the time that it expected close to half of St. Jude Medical revenue to drop as a result of the disclosure and that remediation would take close to two years.
The Muddy Waters/MedSec report cited a number of vulnerabilities in Merlin@home that could allow an attacker to interfere with or interrupt communication between the transmitter and the implant. While Abbott and St. Jude Medical have patched some Merlin@home issues, MedSec challenged the fix, calling it incomplete. It also disclosed vulnerabilities in the implants themselves that could allow an attacker to deliver shocks to the patient or drain the implant’s battery.
“As this letter points out, the company has neglected to act on security expert recommendations dating as far back as 2014, and now Abbott’s St Jude Medical cardiac products are failing to comply with FDA regulations,” MedSec CEO Justine Bone told Threatpost. “The implant vulnerabilities we highlighted have not been fixed yet, however the FDA is now demanding action. We urge Abbott to act swiftly on mitigating these serious exposures.”
The FDA said in its letter to Abbott that the company did not confirm that a root cause investigation, mitigations, and actions to prevent a recurrence of these issues had taken place as required.
“Your firm did not confirm that verification or validation activities for the corrective actions had been completed, to ensure the corrective actions were effective and did not adversely affect the finished device,” the FDA said in its letter. “We have reviewed your response and conclude that it is not adequate. Your firm provided a summary of and implementation dates for several corrections, and corrective actions. However, in your firm’s response, you failed to consider systemic corrective actions and the necessary information to include evidence of implementation for your firm’s corrections, corrective actions, and systemic corrective actions.”
The FDA’s letter was not solely critical of Abbott Laboratories’ handling of cybersecurity issues; it also cited shortcomings in addressing a problem with lithium batteries inside implantable devices that would prematurely drain.
Abbott Laboratories would not specifically address the cybersecurity issues in response to a request made by Threatpost. It sent this statement:
“At Abbott, patient safety comes first. We have a strong history and commitment to product safety and quality, as demonstrated by our operations across the company. Abbott acquired St. Jude Medical in January 2017; the FDA inspection of the Sylmar facility, formerly run by St. Jude Medical, began on February 7; and we responded to the 483 observations on March 13, describing the corrective actions we are implementing. We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA’s warning letter, and are committed to fully addressing FDA’s concerns.”
On Jan. 9, St. Jude Medical pushed out a patch for Merlin@home that it said addressed vulnerabilities disclosed by MedSec and Muddy Waters. At the time, MedSec’s Bone and Muddy Waters CEO Carson Block said the patches did not address a host of larger problems, including a backdoor that would allow hackers to control implants. In a podcast with Threatpost published Jan. 19, Bone reaffirmed the patches were incomplete and addressed only a man-in-the-middle vulnerability between the transmitter and St. Jude’s infrastructure.
“The patch that St. Jude Medical released does not address the implants,” Bone said. “Unfortunately a few folks who are not quite as well versed in cybersecurity have seen this from the outside and seen this release from St. Jude Medical, and think that’s all taken care of. That’s absolutely not the case.”