St. Jude Medical accused of having 'stunning' cybersecurity risk in cardiac devices

Muddy Waters Research had a few words regarding St. Jude Medical ($STJ) in a recent report. The short seller made predictions regarding the devicemaker’s revenue and recalls.

Muddy Waters said it predicts St. Jude Medical will lose close to half of its revenue for about two years. The organization cited potential device recalls as its justification for this prediction.

“STJ’s pacemakers, ICDs, and CRTs might--and in our view, should--be recalled and remediated,” Muddy Waters wrote. “Based on conversations with industry experts, we estimate remediation would take at least two years. Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients.” The report noted that all of these devices combined accounted for 46% of St. Jude Medical’s 2015 revenue.

Muddy Waters also made note of cybersecurity concerns regarding implantable cardiac devices, citing two types of attacks. One was a “crash” attack, which could cause a device to malfunction. These malfunctions could include pacing at a potentially dangerous rate. The second attack could drain a battery, which would be concerning for device-dependent users.

“Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks,” the report said.

Muddy Waters noted that these sorts of attacks against cardiac devices don’t require as much skill as other device attacks that have been discussed in the past.

“These attacks take less skill, can be directed randomly at any STJ Cardiac Device within a roughly 50 foot radius, theoretically can be executed on a very large scale, and most gallingly, are made possible by the hundreds of thousands of substandard home monitoring devices STJ has distributed,” the report explained.

Muddy Waters' founder Carson Block spoke with Bloomberg's Erik Schatzker for an interview regarding these allegations earlier today. Block made note of the ecosystem that powers some of St. Jude Medical's implantable devices, which could pose security risks for users. Block explained that Muddy Waters was "made aware" of the security risk by cybersecurity researchers MedSec which found the issues while conducing research on the top four implantable cardiac device manufacturers. 

"What they found with the St. Jude's devices and the ecosystem stunned them," Block said in the interview. "It's far worse than anything they had expected."

When cyber risks such as these are found, typically the finders would notify the manufacturers of the risk and give them a set amount of time to address it. Should the company opt not to do anything, the finders would then go public with their findings. In this case, however, Block noted that the risks were allegedly so bad that MedSec opted to ignore this unofficial protocol.

"This ecosystem, these devices are so poorly protected that they felt--and we agree--that this is likely gross negligence on the part of St. Jude over many years and they were concerned that if they went to St. Jude, St. Jude would sweep this under the rug," Block said in the interview. "And they felt that it's very important for users of these devices--for patients--to know about the risks."

St. Jude Medical, however, denies the credibility of these allegations.

“The allegations are absolutely untrue,” said Phil Ebeling, chief technology officer at St. Jude Medical, to FierceMedicalDevices. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.”

St. Jude Medical also directed attention to its product security webpage, which explained that keeping patient and consumer information protected is a “high priority.”

“St. Jude Medical performs security testing on our medical devices and networked equipment,” St. Jude Medical explained on the webpage. “We continually assess our investments in people, process and technology to protect patient safety, patient data, our medical devices and the company’s intellectual property and business information.”

The webpage also noted that St. Jude Medical works with partners to “develop appropriate safeguards for our data and devices. These alliances with security specialists help to make medical devices safe and serve the intended purpose of saving lives.”

- here's the Muddy Waters report
- here's the Bloomberg interview with Carson Block
- and here's the Product Security page from St. Jude Medical

Related Articles: 
Report: Boston Scientific, Medtronic and St. Jude's networks hacked last year
St. Jude recalling some defibrillator leads due to damaged insulation