Abbott Laboratories is releasing cyber security updates for its St. Jude heart devices, it said on Monday, some five months after the U.S. government launched a probe into claims they were vulnerable to potentially life-threatening hacks.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said the fix does not address all known problems affecting the company’s implanted heart devices.
“St. Jude Medical is continuing to work with ICS-CERT and the FDA to address additional security issues that have been identified,” the agency said in an advisory on its website.
Representatives for ICS-CERT, the Food and Drug Administration and Abbott could not be reached immediately to comment on the remaining problems.
ICS-CERT issued its advisory after the FDA released a Safety Communication advising patients and physicians that they could continue to using St. Jude’s implanted cardiac devices following the updates. ICS-CERT is charged with improving security of technologies in healthcare, energy and other industries that are part of critical infrastructure.
The FDA confirmed claims that cyber “vulnerabilities” could allow a hacker to remotely access St. Jude medical devices, but said there have been no reports of patients harmed by the vulnerabilities.
For more about hackings, watch:
The updates will automatically be pushed out to St. Jude home monitors that enable doctors to track their performance.
Doctors and patients have been waiting for the FDA and St. Jude to act since August when short-selling firm Muddy Waters and cyber security firm MedSec Holdings claimed the implanted heart devices were riddled with potentially lethal security bugs.
They warned of two primary hacks: One that could cause implanted devices to pace at potentially dangerous rates and one that drains the batteries.
The FDA said it will continue to assess new information concerning the devices and alert the public if it recommends further changes.
“The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks,” the agency said.
Merlin is used with its implantable pacemakers and defibrillator devices.
When Muddy Waters went public with the allegations in August, it also disclosed it was shorting St. Jude Medical, which was preparing to sell itself to Abbott.
Muddy Waters said it believed that disclosure of the vulnerabilities could cause the $25 billion deal to fall apart, but Abbott last week completed its acquisition of St. Jude, one of the world’s biggest makers of implantable cardiac devices.