Continue to Site

MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » UPDATE: St. Jude Medical denies short-seller’s accusations

UPDATE: St. Jude Medical denies short-seller’s accusations

By

St. Jude MedicalUPDATED August 26, 2016, with St. Jude Medical’s rebuttal.

St. Jude Medical (NYSE:STJ) sharply rebutted allegations by a short-seller that nearly half of its cardiac rhythm management devices are extremely vulnerable to hackers.

St. Jude Medical vehemently denied the charges, with their top R&D executive calling them “absolutely untrue.”

Muddy Waters, the firm founded by well-known short-seller Carson Block, issued a report today accusing Little Canada, Minn.-based St. Jude of being “grossly negligent” in failing to safeguard its Merlin@home device, which connects with implanted pacemakers and defibrillators. The short-seller wants to disrupt the pending, $25 billion acquisition of St. Jude by Abbott (NYSE:ABT); Block is long on ABT shares, he told Reuters.

The Merlin@home devices “can be exploited to cause implanted devices to malfunction and harm users. We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable,” according to the Muddy Waters report.

“The vulnerabilities result from an apparent lack of device security; and, the communication protocols for the Cardiac Device ecosystem – which we believe lacks basic protections such as encryption and authentication – are in fact compromised,” according to the firm’s 33-page report. “As a result, an attacker can impersonate a Merlin@home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework.”

“The allegations are absolutely untrue,” St. Jude Medical chief technology officer Phil Ebeling said in an emailed statement. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.”

The accusations stem from a cybersecurity firm, Miami-based MedSec Holdings, that approached Muddy Waters after investigating St. Jude and 3 of its competitors. MedSec’s compensation for the research, however, it tied to Block’s short on STJ shares. And cybersecurity experts say there’s no economic rationale for the type of mass attack hypothesized in the Muddy Waters report.

“The lack of a clear business model for making money from hacking medical devices suggests that it’s unlikely we will see the types of mass attacks,” famed “white hat” medical device hacker Billy Rios told Bloomberg.

St. Jude questioned the validity of the report and defending the safety and security of its devices.

“We have examined the allegations made by Muddy Waters Capital and MedSec on August 25, 2016, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” St. Jude wrote in a prepared statement.

St. Jude reiterated that its remote monitoring is a “safe and effective means for patients to communicate with their physician,” and noted that remote monitoring has been documented in “leading publications” as a system that saves lives.

“At St. Jude Medical, we work with 3rd-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for our data and devices as part of our product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts. In addition, we collaborate with industry and governmental organizations to gain insight on recent trends and take appropriate action,” St. Jude wrote in a press release.

The company said that its Merlin@home units feature an automated remote upgrade process so that “security enhancements” are automatically installed when available.

“Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes. We want to reassure our patients that our systems meet the highest international security requirements, as required by regulatory authorities and international standards organizations,” St. Jude wrote in prepared remarks.

St. Jude denied the claims that the device’s battery could be depleted at 50-foot range, saying it would not be possible once the device is implanted into a patient, as it is limited to an approximate 7-foot range.

“This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients,” St. Jude wrote in a prepared release.

STJ shares were down -8.5% to $74.90 apiece as of about 12:40 Eastern today.

In case you missed it

RSS From Medical Design & Outsourcing

  • New skin-safe materials for additive manufacturing will advance medical device design
    New materials open the applications for using 3D printing for personalized medical devices. By Guillaume Bailliard, Formlabs Additive manufacturing will make personalized medical devices affordable. As 3D printers have become more accessible and manufacturers innovate new materials for medical applications, the industry is delivering patient-specific orthotics, prosthetics, dental devices and more. But adoption has not… […]
  • The top cardiac care innovation news at Heart Rhythm 2023
    The future of cardiac care was on display at the Heart Rhythm Society’s 2023 annual meeting. Medical device companies showcased groundbreaking technologies at Heart Rhythm 2023, May 19-21 in New Orleans. The innovations presented during the event offer new avenues for diagnosis, treatment, and monitoring of cardiovascular conditions, providing hope for patients worldwide. Boston Scientific,… […]
  • Hemco offers VSE Balance Enclosure for critical procedures involving powders and liquids
    NEWS RELEASE: VSE Balance Enclosure for critical procedures involving powders and liquids The VSE is offered in 24”, 36” and 48” widths to accommodate an analytical balance and other small-scale lab processes. Constructed of chemical-resistant metal framing and 1/4” thick clear acrylic side panels and viewing sash. Efficient air flow design with airfoil and bypass… […]
  • Siemens Healthineers plans new semiconductor factory for photon-counting CT scanner
    Siemens Healthineers announced plans this week to build a factory in Germany for cultivating crystals used to make semiconductors for advanced computed tomography (CT) scanners. The medtech giant said its existing production facility in Japan is at capacity, and that the new fabrication plant (or “fab”) is scheduled to come online in 2026. Previously: FDA… […]
  • Stratasys and Desktop Metal plan $1.8B merger
    Stratasys (Nasdaq:SSYS) and Desktop Metal (NYSE:DM) plan to combine in a $1.8 billion all-stock transaction, the 3D printing companies said today. The companies estimate they will generate $1.1 billion in 2025 revenue after the merger and said they expect the additive manufacturing industry to grow to $100 billion by 2032.  Stratasys and Desktop Metal both… […]
  • What’s new in 3D printing: medical devices, research, innovation, automation and partnerships
    3D printing is helping more patients than ever before through personalized medical devices, faster and cheaper prototyping and more affordable manufacturing. Recent developments include research into tissue and organ regeneration, lightning-fast responses to supply chain shortages, wearables that improve patient treatment, and major investments by device manufacturers. Here are some of the 3D printing advances… […]
  • Times Microwave Systems launches XtendedFlex 045 micro-coaxial cable
    NEWS RELEASE: Times Microwave Systems Introduces XtendedFlex 045 Micro-coaxial Cable New Addition to XtendedFlex™ Product Line Features Unrivaled Compactness and Flexibility in a Low Loss Construction for Precision Medical Devices and More WALLINGFORD, CT — Times Microwave Systems, the preeminent brand in innovative RF and microwave interconnect assemblies, cables, and connectors, has announced the release… […]
  • Zimmer Biomet’s Ossis purchase expands reach for Bio-Gate
    NEWS RELEASE: Bio-Gate and OSSIS expand into additional international markets with HyProtect™ Coatings on Compassionate Care implants. Stronger and expanded international market access of OSSIS after acquisition by Zimmer Biomet Increased awareness of HyProtect™ coatings Increased volume of HyProtect™ coated implants Nuremberg/Bremen – Bio-Gate AG (ISIN DE000BGAG981), a leading provider of innovative technologies and individual… […]
  • How device founders can find a buyer for their medtech
    If you’re a medtech entrepreneur looking to sell your medical device business, Frank Jaskulke is a great contact to have in your network. He’s VP of intelligence at Medical Alley and the head of its Medical Alley Starts program, which offers resources and support for healthcare startups. His Minnesota-focused organization has worked with more than… […]
  • 3D-printed wearable sweat sensor could advance home monitoring
    Researchers at the University of Hawaiʻi at Mānoa College of Engineering say they developed a 3D-printed, wearable sweat sensor. Called the “sweatainer,” the device harnesses the power of additive manufacturing to enable a new type of wearable sweat sensor. The researchers say the small, wearable device — similar in size to a child’s sticker —… […]
  • MedAccred joins The Irradiation Panel
    NEWS RELEASE: MedAccred Program Joins Influential Irradiation Industry Association The MedAccred program has become a member of The Irradiation Panel, a renowned not-for-profit industry association representing global and diverse interests in radiation processing. The panel is comprised of suppliers and users of irradiated products and irradiation services, regulatory bodies, and consultants. Membership currently consists of… […]

Copyright © 2023 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Advertise | Privacy Policy