MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » UPDATE: St. Jude Medical denies short-seller’s accusations

UPDATE: St. Jude Medical denies short-seller’s accusations

By

St. Jude MedicalUPDATED August 26, 2016, with St. Jude Medical’s rebuttal.

St. Jude Medical (NYSE:STJ) sharply rebutted allegations by a short-seller that nearly half of its cardiac rhythm management devices are extremely vulnerable to hackers.

St. Jude Medical vehemently denied the charges, with their top R&D executive calling them “absolutely untrue.”

Muddy Waters, the firm founded by well-known short-seller Carson Block, issued a report today accusing Little Canada, Minn.-based St. Jude of being “grossly negligent” in failing to safeguard its Merlin@home device, which connects with implanted pacemakers and defibrillators. The short-seller wants to disrupt the pending, $25 billion acquisition of St. Jude by Abbott (NYSE:ABT); Block is long on ABT shares, he told Reuters.

The Merlin@home devices “can be exploited to cause implanted devices to malfunction and harm users. We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable,” according to the Muddy Waters report.

“The vulnerabilities result from an apparent lack of device security; and, the communication protocols for the Cardiac Device ecosystem – which we believe lacks basic protections such as encryption and authentication – are in fact compromised,” according to the firm’s 33-page report. “As a result, an attacker can impersonate a Merlin@home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework.”

“The allegations are absolutely untrue,” St. Jude Medical chief technology officer Phil Ebeling said in an emailed statement. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.”

The accusations stem from a cybersecurity firm, Miami-based MedSec Holdings, that approached Muddy Waters after investigating St. Jude and 3 of its competitors. MedSec’s compensation for the research, however, it tied to Block’s short on STJ shares. And cybersecurity experts say there’s no economic rationale for the type of mass attack hypothesized in the Muddy Waters report.

“The lack of a clear business model for making money from hacking medical devices suggests that it’s unlikely we will see the types of mass attacks,” famed “white hat” medical device hacker Billy Rios told Bloomberg.

St. Jude questioned the validity of the report and defending the safety and security of its devices.

“We have examined the allegations made by Muddy Waters Capital and MedSec on August 25, 2016, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” St. Jude wrote in a prepared statement.

St. Jude reiterated that its remote monitoring is a “safe and effective means for patients to communicate with their physician,” and noted that remote monitoring has been documented in “leading publications” as a system that saves lives.

“At St. Jude Medical, we work with 3rd-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for our data and devices as part of our product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts. In addition, we collaborate with industry and governmental organizations to gain insight on recent trends and take appropriate action,” St. Jude wrote in a press release.

The company said that its Merlin@home units feature an automated remote upgrade process so that “security enhancements” are automatically installed when available.

“Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes. We want to reassure our patients that our systems meet the highest international security requirements, as required by regulatory authorities and international standards organizations,” St. Jude wrote in prepared remarks.

St. Jude denied the claims that the device’s battery could be depleted at 50-foot range, saying it would not be possible once the device is implanted into a patient, as it is limited to an approximate 7-foot range.

“This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients,” St. Jude wrote in a prepared release.

STJ shares were down -8.5% to $74.90 apiece as of about 12:40 Eastern today.

In case you missed it

RSS From Medical Design & Outsourcing

  • CVRx CEO Nadim Yared suggests steps toward improving diversity and equality
    In this week’s episode of DeviceTalks Weekly, we follow up with last week’s guest, Nadim Yared, CEO of CVRx, to catch up on how the medtech executive is managing during the pandemic. Yared also shares some far-reaching views on what the medtech industry needs to work toward to improve diversity in its workforce and provide… […]
  • Ogura Industrial touts holding brakes for robotic and medical equipment
    As automation continues to accelerate, there’s a growing need to hold equipment in place in the case of a power failure — or to provide positioning, according to Ogura Industrial, maker of six different styles of holding brakes. With roughly 120 standard models, key features of Ogura Industrial’s holding brake families include brake diameters down… […]
  • What kinds of COVID-19 tests are out there?
    Months into the pandemic, the FDA continues to grant emergency use approval (EUA) to new tests to detect the virus that causes COVID-19 and the antibodies that indicate a person has had it. To date, the FDA has granted EUAs for 171 tests —142 molecular tests, 27 antibody tests, and 2 antigen tests. Given the ever-changing… […]
  • FDA plans to resume onsite inspections later this month
    FDA has a goal of restarting on-site inspections during the week of July 20 — four months after it temporarily halted them — though there will be changes due to the COVID-19 pandemic. The agency today said that it will pre-announce inspections to FDA-regulated businesses. Said FDA: “This will help assure the safety of the… […]
  • Formlabs announces new biocompatible, medical-grade resins
    Formlabs, the Somerville, Mass.–based maker of 3D printers, recently announced six new materials across its Form 3, Form 3B, and Form 2 SLA 3D printers — including two new biocompatible, medical-grade resins. The new material families and resins are meant to provide more options for designers and engineers in fields including: Healthcare — with a… […]
  • Magnolia Medical launches Steripath Gen2 with integrated syringe
    Magnolia Medical this week said it launched its Steripath Gen2 Initial Specimen Diversion Device with an integrated syringe. The device is designed for reducing blood culture contamination in “hard stick” patients and syringe collection protocols. Steripath Gen2 features an integrated syringe that addresses difficult intravenous access. It offers precise control to carefully collect blood samples.… […]
  • How Frankenstein sparked Earl Bakken’s love of medical devices
    When the late Medtronic founder Earl Bakken first watched the classic horror movie “Frankenstein” in the 1930s, it did more than just scare: It inspired. “What intrigued me the most as I sat through the movie again and again, was the creative spark of Dr. Frankenstein’s electricity,” Bakken said in his 1990 autobiography “One Man’s… […]
  • Boston researchers have created a potential N95 mask alternative
    Brigham & Women’s Hospital says it is developing a new, sustainable alternative to N95 respirator masks that are in demand during the COVID-19 pandemic. A team of bioengineers and clinical experts at the Boston-based hospital and the Massachusetts Institute of Technology (MIT) are working on the “injection molded autoclavable, scalable, conformable” iMASC system for providing… […]
  • MIT researchers think they’ve found a way to get more particles through a syringe
    Researchers at the Massachusetts Institute of Technology (MIT) are touting a computational model that could prevent microparticle clogging during injections. Microparticles, which are about the size of a grain of sand, can be difficult to inject if they get clogged in a typical syringe. The research team at MIT developed this new model that determines… […]
  • Fotofab adds direct-imaging machine for chemical etching
    Fotofab announced this week that it has acquired a new Chime Ball Technologies direct-imaging (DI) machine from Technica, USA to optimize its chemical etching process and provide a more advanced level of precision and speed for thin metal parts. The DI machine has CBT’s patented finger-print technology with LED lighting that enables Fotofab to directly… […]
  • Could this heated air filter help fight COVID-19?
    University of Houston researchers and medical real estate development firm Medistar claim that they’ve designed an air filter that can catch and instantly kill the virus that causes COVID-19. Galveston National Laboratory tests on the filter found it killed 99.8% of SARS-CoV-2 virus in a single pass — as well as 99.9% of anthrax spores,… […]

MASSDEVICE MEDICAL NETWORK

DeviceTalks
Drug Delivery Business News
Medical Design & Outsourcing
Medical Tubing + Extrusion

MASSDEVICE

Subscribe to MassDevice
Advertise with us
About
Contact us

Add us on Facebook Follow us on Twitter Connect with us on LinkedIn Follow us on YouTube