UPDATED August 26, 2016, with St. Jude Medical’s rebuttal.
St. Jude Medical vehemently denied the charges, with their top R&D executive calling them “absolutely untrue.”
Muddy Waters, the firm founded by well-known short-seller Carson Block, issued a report today accusing Little Canada, Minn.-based St. Jude of being “grossly negligent” in failing to safeguard its Merlin@home device, which connects with implanted pacemakers and defibrillators. The short-seller wants to disrupt the pending, $25 billion acquisition of St. Jude by Abbott (NYSE:ABT); Block is long on ABT shares, he told Reuters.
The Merlin@home devices “can be exploited to cause implanted devices to malfunction and harm users. We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable,” according to the Muddy Waters report.
“The vulnerabilities result from an apparent lack of device security; and, the communication protocols for the Cardiac Device ecosystem – which we believe lacks basic protections such as encryption and authentication – are in fact compromised,” according to the firm’s 33-page report. “As a result, an attacker can impersonate a Merlin@home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework.”
“The allegations are absolutely untrue,” St. Jude Medical chief technology officer Phil Ebeling said in an emailed statement. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.”
The accusations stem from a cybersecurity firm, Miami-based MedSec Holdings, that approached Muddy Waters after investigating St. Jude and 3 of its competitors. MedSec’s compensation for the research, however, it tied to Block’s short on STJ shares. And cybersecurity experts say there’s no economic rationale for the type of mass attack hypothesized in the Muddy Waters report.
“The lack of a clear business model for making money from hacking medical devices suggests that it’s unlikely we will see the types of mass attacks,” famed “white hat” medical device hacker Billy Rios told Bloomberg.
St. Jude questioned the validity of the report and defending the safety and security of its devices.
“We have examined the allegations made by Muddy Waters Capital and MedSec on August 25, 2016, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” St. Jude wrote in a prepared statement.
St. Jude reiterated that its remote monitoring is a “safe and effective means for patients to communicate with their physician,” and noted that remote monitoring has been documented in “leading publications” as a system that saves lives.
“At St. Jude Medical, we work with 3rd-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for our data and devices as part of our product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts. In addition, we collaborate with industry and governmental organizations to gain insight on recent trends and take appropriate action,” St. Jude wrote in a press release.
The company said that its Merlin@home units feature an automated remote upgrade process so that “security enhancements” are automatically installed when available.
“Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes. We want to reassure our patients that our systems meet the highest international security requirements, as required by regulatory authorities and international standards organizations,” St. Jude wrote in prepared remarks.
St. Jude denied the claims that the device’s battery could be depleted at 50-foot range, saying it would not be possible once the device is implanted into a patient, as it is limited to an approximate 7-foot range.
“This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients,” St. Jude wrote in a prepared release.
STJ shares were down -8.5% to $74.90 apiece as of about 12:40 Eastern today.