In-brief: In a damning report, the FDA said that St. Jude Medical* knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or other mitigations, or by replacing those devices. (Editor’s note: updated to include a statement from Abbott and comment from Dr. Kevin Fu. – PFR April 14, 2017)

The U.S. Food and Drug Administration issued a letter of warning to medical device maker Abbott on Wednesday, slamming the company for what it said was a pattern of overlooking security and reliability problems in its implantable medical devices at its St. Jude Medical division and describing a range of the company’s devices as “adulterated,” in violation of the US Federal Food, Drug and Cosmetic Act.

In a damning report, the FDA said that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or by replacing those devices. The government found that St. Jude Medical, time and again, failed to adhere to internal security and product quality guidelines, a lapse that resulted in at least one patient death.

St. Jude Medical, which is now wholly owned by the firm Abbott, learned of serious and exploitable security holes in the company’s “high voltage and peripheral devices” in an April, 2014 “third-party assessment” commissioned by the company. But St. Jude Medical “failed to accurately incorporate the findings of that assessment” in subsequent risk assessments for the affected products, including Merlin@home, a home-based wireless transmitter that is used to provide remote care for patients with implanted cardiac devices, the FDA revealed. Among the security flaws: a “hardcoded universal unlock code” for the company’s implantable, high voltage devices.

The report casts doubt on a defamation lawsuit St. Jude Medical filed against the firm MedSec Holdings Ltd over its August, 2016 report that warned of widespread security flaws in St. Jude Medical’s products, including Merlin@home. The MedSec report on St. Jude Medical’s technology was released in conjunction with a report by the investment firm Muddy Waters Research, which specializes in taking “short” positions on firms. At the time, MedSec said that the security of the company’s medical devices and support software was “grossly inadequate compared with other leading manufacturers,” and represents “unnecessary health risks and should receive serious notice among hospitals, regulators, physicians and cardiac patients.” St. Jude Medical has called the MedSec allegations false, but it now appears that the company had heard similar warnings raised by its own third-party security auditor more than a year prior.

“Your firm’s Global Risk Management Procedure…requires your firm to assess if new hazards are introduced, or previously identified hazardous situations are affected, by risk control measures. Your firm identified the hardcoded universal unlock code as a risk control measure for emergent communication. However, you failed to identify this risk control also as a hazard. Therefore, you failed to properly estimate and evaluate the risk associated with the hardcoded universal lock code in the design of your High Voltage devices.”

The revelation was welcomed by MedSec CEO Justine Bone. “It is refreshing to see the disclosure,” Bone told The Security Ledger. “St. Jude Medical, for the first time, publicly acknowledge that they knew about (the security risks), but continued to sell these products and have them implanted in patients,” she said.

The FDA Warning Letter addresses two sets of unrelated complaints about St. Jude Medical’s implantable High Voltage devices. One complaint concerns battery shorts that could cause implantable defibrillators to fail. The other concerns a range of software vulnerabilities that leave the devices vulnerable to remote, wireless attacks. On both scores, the FDA found similar patterns of behavior. Namely: St. Jude Medical turned a blind eye to reports from supply chain partners and independent auditors about serious flaws in its products.

Regarding the battery shorts, for example, FDA reviewed three years of St. Jude Medical’s Product Analysis reports and found that the firm supplying the lithium batteries for St. Jude Medical’s implantable devices made it clear that a condition called “lithium cluster bridging” (aka ‘shorting’) could prematurely drain the device’s battery, but that St. Jude Medical insisted that the cause of such failures in its devices implanted in patients “could not be determined.” The result: St. Jude Medical continued to distribute devices containing the flawed battery until October 2016, despite recognizing the problem as early as 2013. In one case, a device with a failed battery was linked to a patient death. St. Jude Medical’s report on the device in question said the cause of the premature battery depletion “could not be determined,” FDA said.

Similarly, St. Jude Medical learned about the cyber security risks associated with its high voltage, implantable devices in 2014. The company’s standard operating procedure required it to incorporate those findings into its security risk ratings and then to take steps to mitigate those risks. But St. Jude Medical pointedly failed to adequately control for those risks. The hard-coded universal unlock code, similarly, should have been recognized as an “exploitable hazard” for St. Jude Medical’s High voltage devices once it was identified, but it was not. “Therefore, you failed to properly estimate and evaluate the risk associated with the hardcoded universal lock code in the design of your High Voltage devices,” FDA concluded.

“Right now you have a vulnerable protocol and a known back door, so it’s theoretically possible that any device that can connect to an implantable device wirelessly using, for example, a software defined radio, can control it.” The chances of that attack happening for any individual are low, Bone said, but the stakes for patients with a St. Jude Medical device implanted in their body are life and death, said Bone.

St. Jude Medical did not reply to a request for comment prior to publication of this story. The Security Ledger will update the story when we hear from the company.

In a statement Thursday, St. Jude Medical’s parent company, Abbott, said that “patient safety comes first” at the company. “We have a strong history and commitment to product safety and quality, as demonstrated by our operations across the company.”

In a response to the FDA signed by Vishnu Charan, St. Jude Medical’s Vice President of Operations, the company acknowledged receipt of the FDA report and its six observations about both the battery and software issues. It promised to address three concerns: two pertaining to the handling of battery shorting and one pertaining to the risk assessment of its Merlin@home device. Three other issues were marked as “under consideration” by St. Jude Medical.

“We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA’s warning letter, and are committed to fully addressing FDA’s concerns,” Abbott said in a statement.

The FDA has given the company 15 days to respond to the issues raised in its letter and said that the company will not have any Class III devices approved for sale to the public until the issues it has raised are addressed, including detailed plans for responding to specific security and reliability issues that have been raised and larger “systemic” fixes that ensure the same problems won’t recur.

Jonathon Hamilton, Abbott’s Divisional Vice President for Business Public Affairs said the company is continuing “to sell all on-market products and pursue regulatory filings.” The company is still evaluating how the FDA hold “may impact anticipated product approvals from the Sylmar facility,” Hamilton wrote in an email to Security Ledger.

But Bone of MedSec thinks that those fixes won’t be quick in coming. “The whole protocol needs to be re-architected, redesigned and then implemented,” she said. “And redesigning communications protocols is not something you can do with a quick code patch.” In theory, the company may have been working on such a fix all along, but Bone said she hasn’t had any indication of that.

“It’s been six months since our report and, we now know, two years since the previous report. I think people are getting a bit fed up.”

The FDA letter is proof that the agency “does have teeth and will use them,” said Joshua Corman of The Atlantic Council in an interview with The Security Ledger. Corman said that the St. Jude Medical case should serve as a cautionary tale for other medical device makers and, possibly, as a learning opportunity for the medical device industry, which is struggling to secure both legacy and new devices against a range of online threats.

Kevin Fu, a leading expert on the security of medical devices and CEO of the healthcare cybersecurity firm Virta Labs echoed that sentiment. He called the FDA letter a”come-to-Jesus moment” for Abbott and St. Jude Medical, other firms that make medical implants and “for the officers and directors of any medical device manufacturer that thought FDA was bluffing about cybersecurity.” “No manufacturer or hospital wants to be in the headlines. A serious cybersecurity problem can grind operations to a halt. This is why customers ask us to build security into devices from day zero rather than by zero day,” Fu wrote in an email.

(*) Clarification: shortened references to “St. Jude” were updated to “St. Jude Medical,” using the full name of the company, prior to its acquisition by Abbott.