St. Jude Medical Announces Cybersecurity Updates

January 09, 2017

Company continues to lead the way in advancing cyber security protections in partnership with FDA and ICS-CERT

ST. PAUL, Minn.--()--As part of its commitment to continuous improvement and the security of its electronic devices, today St. Jude Medical, Inc. announced that it will immediately deploy the latest release of cyber security updates for its Merlin™ remote monitoring system that is used with implantable pacemakers and defibrillator devices. The improvements include security updates that complement the company’s existing measures and further reduce the extremely low cyber security risks.

All medical devices using remote monitoring are exposed to the risk of a potential cyber security attack. St. Jude Medical is not aware of any cyber security incidents related to a St. Jude Medical device, nor is it aware that any specific St. Jude Medical device or system in clinical use has been purposely targeted. In recognition of the changing cyber security landscape and the increased public attention on highly unlikely medical device cyber risks, we are informing the public about these ongoing actions so that patients can continue to be confident about the benefits of remote monitoring.

“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cyber security expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board. “Today’s announcement is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate.”

“We’ve partnered with agencies such as the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.

As technology evolves, St. Jude Medical made seven software updates in three years to the Merlin@home™ transmitter alone, and it will immediately release its latest software update to Merlin@home™, which will begin to be implemented today. The update includes additional validation and verification between the Merlin@home™ device and St. Jude Medical has collaborated with the FDA, DHS ICS-CERT and other regulators in implementing this update. The company also plans to implement additional updates in 2017.

As is always recommended, patients should make sure that their Merlin@home™ unit is plugged in and connected via landline or cellular adapter so they can receive these and any future automatic security updates. Physicians or patients with any questions should call the Merlin hotline at 1-877-MY-MERLIN (1-877-696-3754) or visit for more information.

“As medical technology advances, it’s increasingly important to understand how innovation and cyber security impact physicians and the patients we treat,” said Dr. Leslie Saxon, chair of St. Jude Medical’s Cyber Security Medical Advisory Board. “We are committed to working to proactively address cyber security risks in medical devices while preserving the proven benefits of remote monitoring to assess patient status and device function.”

“The safety and security of patients is always our primary focus. We’ll continue to work with agencies, security researchers, physicians and others in the industry in a coordinated way to develop best practices and standards that further enhance the security of devices across the medical industry,” said Ebeling.

As of January 4, 2017, St. Jude Medical is a part of Abbott.

St. Jude Medical, Inc.
J.C. Weigelt, 651-756-4347
Investor Relations
Candace Steele Flippin, 651-756-3029
Media Relations