MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » UPDATE: St. Jude Medical denies short-seller’s accusations

UPDATE: St. Jude Medical denies short-seller’s accusations

By

St. Jude MedicalUPDATED August 26, 2016, with St. Jude Medical’s rebuttal.

St. Jude Medical (NYSE:STJ) sharply rebutted allegations by a short-seller that nearly half of its cardiac rhythm management devices are extremely vulnerable to hackers.

St. Jude Medical vehemently denied the charges, with their top R&D executive calling them “absolutely untrue.”

Muddy Waters, the firm founded by well-known short-seller Carson Block, issued a report today accusing Little Canada, Minn.-based St. Jude of being “grossly negligent” in failing to safeguard its Merlin@home device, which connects with implanted pacemakers and defibrillators. The short-seller wants to disrupt the pending, $25 billion acquisition of St. Jude by Abbott (NYSE:ABT); Block is long on ABT shares, he told Reuters.

The Merlin@home devices “can be exploited to cause implanted devices to malfunction and harm users. We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable,” according to the Muddy Waters report.

“The vulnerabilities result from an apparent lack of device security; and, the communication protocols for the Cardiac Device ecosystem – which we believe lacks basic protections such as encryption and authentication – are in fact compromised,” according to the firm’s 33-page report. “As a result, an attacker can impersonate a Merlin@home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework.”

“The allegations are absolutely untrue,” St. Jude Medical chief technology officer Phil Ebeling said in an emailed statement. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.”

The accusations stem from a cybersecurity firm, Miami-based MedSec Holdings, that approached Muddy Waters after investigating St. Jude and 3 of its competitors. MedSec’s compensation for the research, however, it tied to Block’s short on STJ shares. And cybersecurity experts say there’s no economic rationale for the type of mass attack hypothesized in the Muddy Waters report.

“The lack of a clear business model for making money from hacking medical devices suggests that it’s unlikely we will see the types of mass attacks,” famed “white hat” medical device hacker Billy Rios told Bloomberg.

St. Jude questioned the validity of the report and defending the safety and security of its devices.

“We have examined the allegations made by Muddy Waters Capital and MedSec on August 25, 2016, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” St. Jude wrote in a prepared statement.

St. Jude reiterated that its remote monitoring is a “safe and effective means for patients to communicate with their physician,” and noted that remote monitoring has been documented in “leading publications” as a system that saves lives.

“At St. Jude Medical, we work with 3rd-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for our data and devices as part of our product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts. In addition, we collaborate with industry and governmental organizations to gain insight on recent trends and take appropriate action,” St. Jude wrote in a press release.

The company said that its Merlin@home units feature an automated remote upgrade process so that “security enhancements” are automatically installed when available.

“Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes. We want to reassure our patients that our systems meet the highest international security requirements, as required by regulatory authorities and international standards organizations,” St. Jude wrote in prepared remarks.

St. Jude denied the claims that the device’s battery could be depleted at 50-foot range, saying it would not be possible once the device is implanted into a patient, as it is limited to an approximate 7-foot range.

“This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients,” St. Jude wrote in a prepared release.

STJ shares were down -8.5% to $74.90 apiece as of about 12:40 Eastern today.

In case you missed it

RSS From Medical Design & Outsourcing

  • How Oscor makes a wide range of medtech
    Oscor boasts capabilities to design, develop, manufacture and market a wide range of medical devices, plus implantable-grade components and delivery systems. The Palm Harbor, Fla.–based company has four U.S. facilities with over 100,000 ft2  of engineering and cleanroom manufacturing space, plus two Dominican Republic facilities with another 120,000 ft2 and sales and warehouse facilities in… […]
  • IluminOss lands expanded FDA clearance for fracture repair tech
    IlluminOss Medical recently announced that it received FDA 510(k) clearance for expanded use of its Photodynamic Bone Stabilization System. The system is designed to treat fractures in the pelvis, clavicle and small bones of the hands and feet. It is a minimally invasive approach for fracture repair and stabilization in a patient-specific intramedullary implant. “The… […]
  • What is paratubing?
    Paratubing is a form of tubing that is made from two or more round tubes that are conjoined during extrusion. Paratubing, also called parallel tubing, comes in a wide range of thermoplastics and designs with electrical properties and signal carrying capabilities. The tubes are produced as multiple single lumen PVC tubes that are longitudinally joined […]
  • CVRx CEO details the path from being engineer to medtech executive
    This week, CVRX reported positive six-month trial results for its Barostim Neo, an FDA-approved treatment for heart failure. The results follow years of close work between the agency and CVRx, one of the more ambitious startups in medtech. CVRx is targeting a huge clinical need with novel neuromodulation technology. In this week’s DeviceTalks Weekly podcast,… […]
  • What’s next for nitinol tubing?
    Nitinol’s unique properties have made it the darling of the medical device industry. A novel technique for mechanically joining nitinol to other metal tubing could reduce cost and mitigate risk. Mark Broadley, Viant Nitinol has revolutionized the medical device industry. With its flexible superelasticity, shape memory and biocompatibility, nitinol has become a go-to material for… […]
  • Report: Haemonetics’ blood-collection devices could leave particles in donors
    A consortium of news outlets is questioning the safety of Haemonetics (NYSE:HAE) blood-collection devices, claiming that particles have been detected in donors whose plasma was extracted by the machines. According to a report in the Miami Herald, whistleblower documents indicate that more than 150 Haemonetics customer reports have been made regarding the presence of particles by plasma collection centers and heathcare… […]
  • Spinal Elements’ cervical fixation system wins FDA nod
    Spine surgery technology developer Spinal Elements announced today that it received FDA clearance for its Sapphire X product for anterior cervical fixation. Sapphire X is comprised of integrated instrumentation and high-angulation screws designed to help surgeons perform a procedure while preserving the patient’s skeletal and muscle tissue. The instrumentation is designed to reduce procedural steps… […]
  • How COVID-19 impacts FDA interactions with medical device manufacturers
    By Stewart Eisenhart, Emergo Group The US Food and Drug Administration may revise performance goals and timelines set under the Medical Device User Fee Amendments IV (MDUFA IV) as emergency efforts targeting the coronavirus pandemic take up more of the agency’s time. Get the full story here at the Emergo Group’s blog. The opinions expressed… […]
  • Switchback Medical adds ‘sandbox approach’ to device testing
    Contract manufacturer Switchback Medical (Maple Grove, Minn.) today announced that it has added a new division. Switchback BioSim Innovations offers functional dynamic biosimulator model development, cell culture services and physician training, according to the company. Biosimulator models use animal and human tissue to create functional models, such as a pumping heart with working valves to… […]
  • Smith College team wins ventilator design challenge
    A team of Smith College engineering alumnae, staff and faculty has won the CoVent-19 Challenge to design a rapidly deployable ventilator to address shortages caused by the COVID-19 pandemic, particularly in developing countries. A dozen anesthesiology resident physicians from Massachusetts General Hospital kicked off the public challenge April 1, attracting 200 entries. The 30-person team… […]
  • FDA gives certain device makers more time to add UDIs
    The FDA said today that it will grant manufacturers of Class 1 and unclassified medical devices and certain others more time to add unique device identifiers (UDIs) to their products. These companies will now have until Sept. 24, 2022 to comply with the agency’s UDI rule, including standard date formatting, labeling and Global Unique Device… […]

MASSDEVICE MEDICAL NETWORK

DeviceTalks
Drug Delivery Business News
Medical Design & Outsourcing
Medical Tubing + Extrusion

MASSDEVICE

Subscribe to MassDevice
Advertise with us
About
Contact us

Add us on Facebook Follow us on Twitter Connect with us on LinkedIn Follow us on YouTube