By Dave Price
No one can say we weren’t warned.
Among the more random and capricious threats of modern life – terrorist attacks, Boston-area roadways, a Trump presidency – my still-new pacemaker normally wouldn’t make the list. Yet yesterday morning, there it was in a tweet from Muddy Waters Research and managing director, Carson Block: “MW is short St. Jude $STJ – serious cybersecurity vulnerabilities in cardiac, could lose ~50% rev for 2+ years.”
I’m sure there were plenty of other folks who felt a brief little shudder when they saw that tweet shortly before 11 a.m. – including investors with significant long positions in St. Jude Medical (NYSE:STJ), which started the day at $81.88 a share, only to sink more than 10% by lunchtime before scratching back for a 5% loss at $77.82 by the close.
Same for Abbott (NYSE:ABT), which struck a $24.2 billion deal to buy St. Jude at $85 a share in April and saw the value of its new prize sink by around $1.15 billion on Thursday. And, of course, there are all the patients like me relying on Merlin@home devices.
Based on research from MedSec Holdings, a cybersecurity firm in Miami, Block asserted that St. Jude heart heart devices are extremely vulnerable to hacking and present a genuine risk to patients. The 33-page report describes two types of attacks. One is a “crash” attack that causes a pacemaker or defibrillator to malfunction, literately sending the heart racing before red-lining like the tachometer on a rusty Buick stuck in first gear. The other type causes the battery on the device to quickly drain and leaving a pacemaker-dependent patient as dead as the battery in that Skylark in the pre-dawn January dark in northern Minnesota.
“The allegations are absolutely untrue,” Phil Ebeling, St. Jude’s chief technology officer, said in rebuttal to the Muddy Waters report yesterday. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.”
My Merlin@home sits on the dresser closest to the bed, its single green LED on 24/7 to remind me of its constant watch on me and my Assurity PM2240 pacemaker. A cardiologist who worked on me at St. Francis Hospital on Long Island last winter told me one of the best advantages of the internet-linked monitor would be saving me from the hassle of coming in every 3 months for an EKG to see how I’m doing. Of course, he was the same doctor who told me my ablation procedure the day before wouldn’t hurt.
Even a quick skim through the Muddy Waters report calls to mind an episode in Showtime’s spook drama “Homeland,” in which deep-cover terrorist-turned-congressman Brody is leaning over a stricken vice president Walden after providing the serial number and other identifying data needed for an Al-Qaeda operative to hack into Walden’s home cardiac monitor. “I’m killing you,” Brody grins as Walden clutches his chest, a picture of disbelief and betrayal.
In real life, if the Muddy Waters report is accurate, the process for hacking a St. Jude cardiac device is apparently much easier.
According to the report, the hack requires few programming skills and can be randomly directed at any device within 50 feet.
“Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks,” the report alleges, describing Merlin@home monitors as “the keys to the castle,” with critical information and code lacking encryption.
I’ve talked with a fair number of short-sellers over the years and I tend to give their opinions quite a bit of credence. Carson Block has certainly seen his share of success in shorting companies. Betting that a stock is going to lose money is a lot more work than expecting it to rise, and when you’re wrong, the market can take you for a bundle before you can get out from your bet. That’s why short sellers typically do their homework and then some before taking a position. Still, you need to take their public pronouncements with some skepticism too: It’s always to their benefit to say something that sends a particular stock heading south.
Still, worrying about whether some nefarious person or group is hacking my pacemaker won’t keep me awake most nights. As far as I know, I haven’t made a lot of enemies over the years, so revenge likely is out as a motivating factor.
The odds for a purely random attack also are largely off the charts: It’s possible, of course, but so are the odds that I’ll hit all 63 picks in the NCAA men’s basketball tournament (plus the play-in games), or that I’ll be struck by space debris while watching the Maple Leafs win the Stanley Cup.
That said, I might think twice now before boxing in the neighbor’s car when parking spots are scarce.
Dave Price, a freelance journalist based in New York City, has been writing about business for more than 20 years.
The opinions expressed in this blog post are the author’s only and do not necessarily reflect those of MassDevice.com or its employees.