Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Medicine Government Security

FDA Slams St. Jude Medical For Ignoring Security Flaws In Medical Devices (securityledger.com) 30

chicksdaddy quotes a report from The Security Ledger: The U.S. Food and Drug Administration issued a letter of warning to medical device maker Abbott on Wednesday, slamming the company for what it said was a pattern of overlooking security and reliability problems in its implantable medical devices at its St. Jude Medical division and describing a range of the company's devices as "adulterated," in violation of the U.S. Federal Food, Drug and Cosmetic Act, the Security Ledger reports. In a damning warning letter, the FDA said that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or by replacing those devices. The government found that St. Jude, time and again, failed to adhere to internal security and product quality guidelines, a lapse that resulted in at least one patient death. St. Jude Medical, which is now wholly owned by the firm Abbott, learned of serious and exploitable security holes in the company's "high voltage and peripheral devices" in an April, 2014 "third party assessment" commissioned by the company. But St. Jude "failed to accurately incorporate the findings of that assessment" in subsequent risk assessments for the affected products, including Merlin@home, a home-based wireless transmitter that is used to provide remote care for patients with implanted cardiac devices, the FDA revealed. Among the security flaws: a "hardcoded universal unlock code" for the company's implantable, high voltage devices. The report casts doubt on a defamation lawsuit St. Jude filed against the firm MedSec Holdings Ltd over its August, 2016 report that warned of widespread security flaws in St. Jude products, including Merlin@home. The MedSec report on St. Judes technology was released in conjunction with a report by the investment firm Muddy Waters Research, which specializes in taking "short" positions on firms. At the time, MedSec said that the security of the company's medical devices and support software was "grossly inadequate compared with other leading manufacturers," and represents "unnecessary health risks and should receive serious notice among hospitals, regulators, physicians and cardiac patients." St. Judes has called the MedSec allegations false, but it now appears that the company had heard similar warnings raised by its own third-party security auditor more than a year prior.
This discussion has been archived. No new comments can be posted.

FDA Slams St. Jude Medical For Ignoring Security Flaws In Medical Devices

Comments Filter:
  • It's often entertaining reading Slashdot Summaries, because you know that the wording / content is selected to press certain buttons. Just say hard coded password , and you know that the majority of regular Slashdot readers will immediately sport a huge raging erection of epic proportions. Yet there is a lot more to the story than that, for example - SURPRISE! - Lithium Ion Battery issues, who would have thought. As well, serious mechanical as well as software issues that go beyond a backdoor. But of cour

    • Yes, the original title of the article "Update: FDA says St. Jude Medical knew about Device Flaws 2 Years Before Muddy Waters Report" definitely wouldn't garner as many responses.

      For one thing, we'll need at least 100 responses to clarify the fact that the security flaws are not what caused the death of the patient. And then we'll need another 200 responses to figure out what flaw actually killed that patient in question. Plus we can add another 50 responses that criticize Slashdot or the editor for trying

  • NOT "The" St Jude (Score:5, Informative)

    by XanC ( 644172 ) on Friday April 14, 2017 @06:22PM (#54236999)

    The summary should have clarified that this does not involve St. Jude Children's Research Hospital in Memphis. The article seems to be about a facility in California.

    • Indeed. I was reading the summary, thinking, this seems like a medical supply company pandering off the good name of the charity... filthy bastards.
      • by reanjr ( 588767 )

        Or named so because St. Jude is the patron saint of desperate causes and that concept applies to medicine in general.

      • This isn't the Wall Street Journal, guys. Slashdot doesn't even create a coherent summary, much less add the stock market ticker of the company.

    • The summary should have clarified that this does not involve St. Jude Children's Research Hospital in Memphis. The article seems to be about a facility in California.

      Exactly. The one they're talking about is St.Jude Patron Saint of Hopeless Causes and Buggy Medical Devices Inc, California.

  • "a lapse that resulted in at least one patient death."

    Instead of a letter, they should be prosecuting an exec, and putting them in jail for a long time. That will get their attention.
  • This is capitalism (Score:4, Insightful)

    by lucasnate1 ( 4682951 ) on Friday April 14, 2017 @07:07PM (#54237137)

    When there is no regulation, companies will always have the incentive to make as much as money as possible while doing as little work as possible. There has to be a stick, not only a carrot.

    • There is a lot of regulation in the medical device field. Perhaps more than anything short of commercial aircraft. The problem is that the FDA isn't aggressively pursuing being a regulatory agency. If you don't enforce the regulations, following them becomes less of a priority.

      The FDA has been criticized by many for being too lax. Various FDA staffers have criticized Congress for cutting funding (ooh, bad government, no biscuit). Truth is probably somewhere in between - there are likely lots of villain

      • by Anonymous Coward

        The FDA has not been allowed to prosecute. It's a regulatory agency, and has had its ability to enforce wiped out by lobbyists and professional bureaucracy. They've become about as effective as the Curiae at the Vatican trying to prevent child molestation, or the SEC trying to restrain stock fraud. And frankly, for much the same reasons.

  • The FDA has killed more people than St. Jude ever did. These are the people who brought us the Food Pyramid. The FOOD PYRAMID which was obviously constructed to favor the big agro industries and had nothing to do with health. Also, when it comes to medical devices, these shitty things are over-pattented, over-protected, and pieces of crap. My fiance is diabetic and has a pump that costs $300 to buy but is using technology older than the TI-85. Pretty sure it costs them $10 to make it. Oh and one time she ha
  • No-one every seems to mention how medical device manufacturers often extort the device users via a delicate yet precarious conspiracy among physicians, the medical industrial complex, the insurance companies and the federal government.

    Specifically, if a physician recommends (in order to limit their liability in compliance w/ medical malpractice insurance) that a patient use a specific device (e.g., a heart implant) then the insurance companies will generally threaten to cancel your insurance if you don't

  • by Artagel ( 114272 ) on Saturday April 15, 2017 @10:59AM (#54239795) Homepage

    If you read the warning letter at the link, it may not make a lot of sense to many of you. Here goes:

    FDA wants to have companies work with it to make things as safe as possible. Cooperation with FDA means that FDA worries less about you.

    FDA usually starts with an "untitled letter" or "notice of violation" letter. This is FDA's way letting a company know that it found something that is concerning them. It may be that there is no problem, but FDA's concern has to be addressed or things may escalate. Obviously, St. Jude's efforts to convince FDA that there was not a problem did not work here.

    When FDA moves to a warning letter, it has convinced itself that there is a problem that has to be fixed. The idea is to get the company to fix it on its own, which happens 99% of the time. Most companies address problems at this stage because they want to protect their reputation as a good company at FDA. Recalcitrant companies applications for approval can be viewed with somewhat more suspicion than companies that jump on issues and fix them right away. Nobody really wants more on-site FDA inspections.

    We saw with Theranos what can happen if you fail to fix the problem identified in a warning letter: escalation to enforcement to make the company comply.

    A company of any size, or with a product of significant complexity, needs to have written procedures for addressing problems and escalating unsolved problems to a higher level of management. FDA found that St. Jude did not follow its procedures and that the procedures were inadequate. So, to satisfy FDA the company will need to convince FDA that the written procedures are adequate and that there is supervision to enforce those procedures within the company.

    At this stage companies will often turn to outside consultants to help fix the problem because higher management no longer has confidence in lower management to fix the problem.

I go on working for the same reason a hen goes on laying eggs. -- H.L. Mencken