Contributor: Lisa W. Clark, JD’89
To learn more about Lisa, click here.
Nora, who has a pacemaker manufactured by St. Jude Medical, plugged in her Merlin@home™ transmitter before she went to sleep. The transmitter is part of St. Jude’s Merlin.net™ Patient Care Network, a remote cardiac care monitoring network that collects data from the pacemaker on the patient’s heart rate and uploads the data through a web interface for computer access by the patient, her physician, and caregivers. The network also provides alerts when an event occurs. Nora was happy with her pacemaker and the remote monitoring system because it allowed her to avoid physician visits and provided up-to-date information on her condition. But Nora’s heart rate skyrocketed the next morning when she was notified that the U.S. Food & Drug Administration had issued a Safety Communication entitled: “Cybersecurity Vulnerabilities Identified for the St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter” (January 9, 2017). The FDA had determined the transmitter contained security flaws that made it vulnerable to outside attacks, possibly leading to rapid depletion of the pacemaker’s battery or the administration of inappropriate pacing or shocks. Although St. Jude Medical was applying a security patch, Nora suddenly realized the risks of relying on technology to guard her health, as did her physician. St. Jude Medical had much to cope with as well.
Last year, St. Jude Medical and Abbott Laboratories announced they were engaged in negotiations for Abbott to purchase St. Jude Medical for approximately $25 billion. The deal closed on January 4, 2017, a week after the Federal Trade Commission announced it would approve the acquisition, which has been subject to an intensive anti-trust investigation. The timing of the FDA’s Safety Communication, which was issued five days after the deal closed, is interesting, suggesting that obtaining the FDA’s agreement to sign off on Merlin@home™’s cybersecurity issues may have been related to the deal. Although the St. Jude’s Medical Merlin.net™ Patient Care Network was only one of St. Jude Medical’s product lines, the discovery of the cybersecurity issues during deal talks could not have been welcome. Not only did this discovery result in an FDA investigation but in a significant dip in stock after an outside party uncovered and announced the vulnerabilities.
Muddy Waters, an investment research firm, first announced the vulnerabilities in August, 2016. It issued a 53-page report stating that it was shorting St. Jude Medical’s stock based on findings that the device maker would likely lose half of its revenue for approximately two years due to weaknesses in the cybersecurity of the Merlin@home™ device. The Muddy Waters’ report alleged that Merlin@home™ lacked standard security defenses, such as strong authentication, encrypted software and code, anti-bugging tools, and anti-tampering mechanisms, that might be able to prevent a hacker from causing the device to malfunction or drain the battery. Muddy Waters explained that it had been notified of these weaknesses by a security firm, MedSec, which, according to media reports, would receive a share of any profits made off a short sell of St Jude Medical’s stock. Unauthorized security probes by security firms are becoming more common.
The week after the report was issued, St. Jude Medical’s stock fell sharply; the FDA confirmed that it was investigating Merlin@home™; and St. Jude Medical brought litigation against Muddy Waters in federal court in Minnesota, claiming the firm disseminated false and misleading information designed to manipulate St Jude Medical’s stock price. In the subsequent months, there was much discussion among physicians, device makers, and cybersecurity experts as to whether Muddy Waters’ claims were legitimate and whether patients should be instructed to stop using the transmitter. With the FDA’s January 9, 2017 Safety Communication, St. Jude Medical acknowledged the vulnerabilities and applied the patch. Fortunately for St. Jude Medical, it recovered from the public attack on the security of its product and systems and was able to complete the sale to Abbott.
What can device companies, investors, providers, and of course we as patients learn from this saga? Here are some takeaways:
- If you are a device company, developer, or distributor of a mobile or a software-based health product that transmits information over the Internet, implement security features and protocols based on highest industry standards, including ongoing assessment and fixes. The FDA recently issued important guidance on cybersecurity in medical devices. Postmarket Management of Cybersecurity in Medical Devices (December 28, 2016). And make sure you have adequate cybersecurity insurance.
- If you are a device company, a potential investor, or physician using mobile health for patient care management, be aware of the malpractice risks for devices and software that may not meet security standards. Keep up-to-date on alerts from the manufacturer, the FDA, trade associations, and others. And for healthcare providers, make sure your insurance covers advice you may offer to patients regarding mobile health devices.
- If you are considering investing in a product or service that relies on mobile health or remote healthcare management, make sure your due diligence includes a comprehensive security analysis and assessment. Use technology experts as necessary to test the devices and systems.
- For all stakeholders, rely on experienced legal counsel and consultants to ensure that you are aware of all of the risks and trends, and that any assessments, due diligence, and user recommendations satisfy legal and industry standards.
So back to Nora. She discussed with her physician the safety and risks of using of the Merlin.net™ Patient Care Network and the Merlin@home™ transmitter. Based on the FDA’s Safety Communication, the physician recommended that Nora continue to use the transmitter, and Nora agreed to do so. Nora is comfortable with her decision for now, but she’s holding onto the number for the class action lawyer who called her just in case.
Contact Lisa at:
Disclaimer: This article is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this article are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.