St. Jude Medical Refutes Muddy Waters Device Security Allegations and Reinforces Security of Devices and Commitment to Patient Safety
Remote monitoring is a safe and effective means for patients to
communicate with their physician. It has been well documented in leading
publications that remote monitoring saves lives. At
Our system provides an automated remote upgrade process for all Merlin@home units that are in active use so that security enhancements are automatically deployed when they become available. Merlin@home units that are not in active use and connected to the internet will also be upgraded when they return to use if a new update is available. Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home™ devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes. We want to reassure our patients that our systems meet the highest international security requirements, as required by regulatory authorities and international standards organizations.
Claims of remote battery depletion are misleading
The report claimed that the battery could be depleted at a 50-foot
range. This is not possible since once the device is implanted into a
patient, wireless communication has an approximate 7-foot range. This
brings into question the entire testing methodology that has been used
as the basis for the
The flawed test methodology on outdated software demonstrates fundamental lack of understanding of medical device technology
The report claimed that the system could be impaired, similar to when a computer system “crashes.” The report has little detail on this simulation and includes many inconsistencies. In fact, the screenshot of the Merlin programmer in the Muddy Water report shows a device that is functioning normally. The red items on the screen are highlighting the fact that there are no leads connected to the device. The device is pacing properly, at the programmed 40bpm. The screenshot shows expected behavior from the SecureSense algorithm when device is pacing without any connected leads.
Our software has been evaluated and assessed by several independent
organizations and researchers including
Muddy Waters also makes numerous unsubstantiated statements that are speculative with no evidence shown to prove the claims such as an ability to impersonate any SJM device, reverse engineering to create a pocket-size programmer, and a large-scale attack through the Merlin network. However, we are not aware of such threats and will remain vigilant to the ever-increasing sophistication of those seeking access to devices/data and address any issues based on additional detail provided.
We recognize the importance of providing physicians with up-to-date and accurate information in a timely and responsible manner so that they can make informed patient care decisions. Our analysis reinforces the need for researchers and manufactures to work together to discuss and resolve potential issues together to avoid unnecessarily alarming patients.
We encourage anyone with product security questions to contact us at email@example.com.
We ask anyone with an a potential cybersecurity vulnerability in a
Patient safety has always been our top priority and we have every reason
to believe our devices are safe. Because we recognize cybersecurity is a
concern for patients, it is also a priority for
About the Impact of the St. Jude Medical Remote Monitoring Portfolio
The St. Jude Medical Merlin.net Patient Care Network (PCN) is an award winning Radio frequency (RF) remote monitoring system designed to improve outcomes for patients with pacemakers, implantable cardioverter defibrillators (ICDs) and cardiac resynchronization defibrillators (CRT-Ds). With rapid access to their patient’s information through the secure Merlin.net PCN website, physicians can remotely monitor and assess patient device data and determine interventions needed. Recent research has shown that remote monitoring can improve patient survival while reducing hospitalizations and health care utilization.
Remote monitoring of cardiac patients has become a best-practice over
the past decade. In 2016, the
Patients with questions about remote care from
MY MERLIN (1-877-696-3754).
This news release contains forward-looking statements within the meaning
of the Private Securities Litigation Reform Act of 1995 that involve
risks and uncertainties. Such forward-looking statements include the
expectations, plans and prospects for the company, including potential
clinical successes, reimbursement strategies, anticipated regulatory
approvals and future product launches, and projected revenues, margins,
earnings and market shares. The statements made by the company are based
upon management’s current expectations and are subject to certain risks
and uncertainties that could cause actual results to differ materially
from those described in the forward-looking statements. These risks and
uncertainties include market conditions and other factors beyond the
company’s control and the risk factors and other cautionary statements
described in the company’s filings with the