MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » UPDATE: St. Jude Medical denies short-seller’s accusations

UPDATE: St. Jude Medical denies short-seller’s accusations

By Leave a Comment

Share

St. Jude MedicalUPDATED August 26, 2016, with St. Jude Medical’s rebuttal.

St. Jude Medical (NYSE:STJ) sharply rebutted allegations by a short-seller that nearly half of its cardiac rhythm management devices are extremely vulnerable to hackers.

St. Jude Medical vehemently denied the charges, with their top R&D executive calling them “absolutely untrue.”

Muddy Waters, the firm founded by well-known short-seller Carson Block, issued a report today accusing Little Canada, Minn.-based St. Jude of being “grossly negligent” in failing to safeguard its Merlin@home device, which connects with implanted pacemakers and defibrillators. The short-seller wants to disrupt the pending, $25 billion acquisition of St. Jude by Abbott (NYSE:ABT); Block is long on ABT shares, he told Reuters.

The Merlin@home devices “can be exploited to cause implanted devices to malfunction and harm users. We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable,” according to the Muddy Waters report.

“The vulnerabilities result from an apparent lack of device security; and, the communication protocols for the Cardiac Device ecosystem – which we believe lacks basic protections such as encryption and authentication – are in fact compromised,” according to the firm’s 33-page report. “As a result, an attacker can impersonate a Merlin@home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework.”

“The allegations are absolutely untrue,” St. Jude Medical chief technology officer Phil Ebeling said in an emailed statement. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.”

The accusations stem from a cybersecurity firm, Miami-based MedSec Holdings, that approached Muddy Waters after investigating St. Jude and 3 of its competitors. MedSec’s compensation for the research, however, it tied to Block’s short on STJ shares. And cybersecurity experts say there’s no economic rationale for the type of mass attack hypothesized in the Muddy Waters report.

“The lack of a clear business model for making money from hacking medical devices suggests that it’s unlikely we will see the types of mass attacks,” famed “white hat” medical device hacker Billy Rios told Bloomberg.

St. Jude questioned the validity of the report and defending the safety and security of its devices.

“We have examined the allegations made by Muddy Waters Capital and MedSec on August 25, 2016, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” St. Jude wrote in a prepared statement.

St. Jude reiterated that its remote monitoring is a “safe and effective means for patients to communicate with their physician,” and noted that remote monitoring has been documented in “leading publications” as a system that saves lives.

“At St. Jude Medical, we work with 3rd-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for our data and devices as part of our product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts. In addition, we collaborate with industry and governmental organizations to gain insight on recent trends and take appropriate action,” St. Jude wrote in a press release.

The company said that its Merlin@home units feature an automated remote upgrade process so that “security enhancements” are automatically installed when available.

“Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes. We want to reassure our patients that our systems meet the highest international security requirements, as required by regulatory authorities and international standards organizations,” St. Jude wrote in prepared remarks.

St. Jude denied the claims that the device’s battery could be depleted at 50-foot range, saying it would not be possible once the device is implanted into a patient, as it is limited to an approximate 7-foot range.

“This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients,” St. Jude wrote in a prepared release.

STJ shares were down -8.5% to $74.90 apiece as of about 12:40 Eastern today.

In case you missed it

RSS From Medical Design & Outsourcing

  • Medtronic risk prediction tool could help prevent opioid deaths: Here’s how
    Medtronic officials continue to hone their arguments for how the company’s capnography and oximetry systems could reduce potentially deadly opioid-induced respiratory compromise. The medical device giant on Feb. 17 announced preliminary results of its Prodigy study, in which the company’s Microstream and Nellcor monitoring technology provided continuous capnography and oximetry for 1,496 patients across 16 sites in the U.S.,… […]
  • Phillips-Medisize is expanding in Wisconsin
    Phillips-Medisize, a Molex company, has broken ground on a new manufacturing facility in Hudson, Wis., on the eastern end of the Minneapolis-St. Paul metro area. The 34-acre location at the St. Croix Meadows development will support at least 230,000 square feet of manufacturing space for FDA-regulated medical device products, Phillips-Medisize announced yesterday. After construction is complete… […]
  • ReWalk Robotics files for exoskeleton suit clearance
      ReWalk Robotics (NSDQ:RWLK) said it has applied to FDA for 510(k) clearance of its ReStore exoskeleton suit for gait training during stroke rehabilitation. The Yokneam, Israel-based company designed its exo-suit to provide coordinated plantarflexion and dorsiflexion assistance to a patient’s foot and ankle. It recently won insurer reimbursement from Cigna and completed a clinical… […]
  • FDA proposes faster post-inspection feedback
    FDA has issued draft guidance providing for more timely nonbinding feedback following medtech facility inspections to advise whether the companies’ proposed corrective actions appear adequate to the agency. The draft guidance proposes a process by which companies can request nonbinding feedback on certain kinds of observations issued on a Form 483. It outlines a standardized method… […]
  • India CDSCO adds new medical devices to regulated list
    By Stewart Eisenhart, Emergo Group India’s Central Drugs Standard Control Organization (CDSCO) continues expanding oversight to more types of medical devices, now planning to require registration for eight additional device types starting April 1, 2020. Get the full story here at the Emergo Group’s blog. The opinions expressed in this blog post are the author’s… […]
  • Empowering Medical Innovation
    From faster medical device development to life-saving surgical planning models, see how full-color, multi-material 3D printing opens up broad possibilities for medical innovation. In this new E-book you’ll learn how the Stratasys J750 can: Produce superior medical models for surgical planning and training Foster better medical devices through faster ideation and prototyping Enable advanced training… […]
  • Affluent Medical touts results of endovascular aneurysm repair study
    Medtech startup Affluent Medical(Paris, France) said a study of its endovascular aneurysm repair (EVAR) system device showed patients had fewer endoleaks and needed fewer secondary interventions, and that their aneurysms shrank in volume and diameter. The company’s Kardiozis endovascular prosthesis uses thrombogenic fibers to embolize an abdominal aortic aneurism sac during a conventional EVAR procedure to prevent… […]
  • This cotton-based biofuel cell could power implanted medical devices
    Researchers at the Georgia Institute of Technology and Korea University have developed a glucose-powered biofuel cell that uses electrodes from cotton that could potentially power implantable medical devices. The fuel cell has twice as much power as traditional biofuel cells and could also be paired with batteries or super capacitors to create a hybrid power… […]
  • IEEE publishes safety standards draft for medtech interoperability
    The Institute of Electrical and Electronics Engineers (IEEE) Standards Association said it has published a draft set of standards intended to provide safe and secure medical device interoperability. IEEE 11073-20701-2018, also known as IEEE Approved Draft Standard for Service-Oriented Medical Device Exchange Architecture & Protocol Binding, completes the International Organization for Standardization (ISO)/IEEE 11073 family of standards… […]
  • FDA clears Safe Medical Design’s urethral catheter
    Safe Medical Design (San Francisco) said that FDA has cleared its Signal Catheter for commercialization in the United States. The 100% silicone foley catheter features a novel hub design allowing the catheter to reduce excessive balloon pressure in the event the catheter is improperly placed. Each year in the United States there are as many as 500,000… […]
  • These medtech companies raised the most VC in 2018
    Venture capital firms invested more than $2.9 billion in medical device companies in 2018 — a slight increase from the $2.8 billion raised in 2017, according to the MoneyTree report from PricewaterhouseCoopers (PwC) and CB Insights. Both the first and second quarters of 2018 saw an increase in investments, totaling nearly $778 million and $786 million respectively.… […]

Leave a Reply

MASSDEVICE MEDICAL NETWORK

DeviceTalks
Drug Delivery Business News
Medical Design & Outsourcing

MASSDEVICE

Subscribe to MassDevice
Advertise with us
About
Contact us
Privacy
Add us on FacebookMassDevice Network
Follow us on Twitter@MassDevice
Connect with us on LinkedInLinkedIn
Follow us on YouTube YouTube