The St. Jude vs. Muddy Waters finger-pointing match continues

It seems as though we have a bit of a finger-pointing match going on between St. Jude and Muddy Waters. St. Jude Medical issued a lengthy response to accusations that some of their implantable devices are easy targets for cyberattacks. Still, Muddy Waters wasn't satisfied and issued a second report in response, only to have St. Jude write one more response this morning.

The devicemaker made headlines on August 25 when Muddy Waters reported on two types of cyberattacks that could very easily be carried out on St. Jude Medical’s pacemakers, ICDs and CRTs. Muddy Waters--which was made aware of the risks by MedSec, the cybersecurity firm that discovered them--said in the report that those devices may be recalled, which could result in a loss of nearly half of St. Jude’s yearly revenue for the next two years.

It is worth noting that Muddy Waters does stand to profit from these accusations. "You should assume that as of the publication date of our reports and research, Muddy Waters Capital LLC (possibly along with or through our members, partners, affiliates, employees, and/or consultants) along with our clients and/or investors and/or their clients and/or investors, has a short position in all stocks (and/or options, swaps, and other derivatives related to the stock) and bonds covered herein, and therefore stands to realize significant gains in the event that the price of either declines," Muddy Waters discloses on the first page of each report. "We intend to continue transacting in the securities of issuers covered on this site for an indefinite period of time, and we may be long, short, or neutral at any time regardless of our initial position and views as stated in our research."

St. Jude Medical said to FierceMedicalDevices that same day that the allegations were “absolutely untrue,” and spoke of the layers of security put in place on the devices.

St. Jude's first response - August 26

On August 26, St. Jude put out an official statement on the matter, addressing the claims and refuting them.

“We have examined the allegations made by Muddy Waters Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading,” the statement said. The statement went on to explain how the remote-monitoring devices are developed and secured, noting that St. Jude Medical performs routine risk assessments based on the FDA’s guidance.

St. Jude addressed battery-depletion claims, which alleged that a battery in an implanted device could be depleted within a 50-foot range. The devicemaker noted that once a device is implanted, wireless communication has only an approximate 7-foot range. St. Jude also said it would take “hundreds of hours of continuous and sustained ‘pings’” to deplete a device’s battery.

“To put it plainly,” St. Jude explained in the statement, “a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient.”

St. Jude also addressed the “crash” attack claims, saying that the report had minimal details on the simulation of the attack and “includes many inconsistencies.” St. Jude also said that the screenshot Muddy Waters included in its report showed a Merlin programmer operating normally, pacing at 40 bpm, with alerts on the screen noting that no leads are connected to the device. “The screenshot shows expected behavior from the SecureSense algorithm when device is pacing without any connected leads,” the report explained.

Snapshot of the Merlin@Home device alerts from the Muddy Waters report.--Courtesy of Muddy Waters
St. Jude’s response continued on to explain that the organization “will remain ever vigilant and dedicated to patient safety.” The statement explained how many independent organizations evaluate and assess the tech in question, and how St. Jude Medical works with industry groups like NH-ISAC and ICS-CERT to ensure patient safety.

“Patient safety has always been our top priority and we have every reason to believe our devices are safe,” the statement said. “Because we recognize cybersecurity is a concern for patients, it is also a priority for St. Jude Medical.”

St. Jude has also taken to social media since the report dropped, to promote the safety of their devices.

Muddy Waters' second report - August 29

Muddy Waters, however, was far from satisfied with the response, issuing yet another report yesterday reacting to St. Jude’s statement.

“There are no changes to MedSec or our conclusions about the lack of security in the [St. Jude Medical] device ecosystem, and our belief in the need for recall and remediation,” the report summary said. The summary also stated that St. Jude’s response was made of “substance (~20%) and fluff (~80%).”

The report went on to explain how St. Jude actually admitted to some of the risks. The report also noted that only “the majority” of vulnerabilities MedSec found were fixed with a software update, and explained that the MedSec findings were not only speculative, as St. Jude implied.

“Given the density of the clusters of deceptive indicators in this rebuttal it is highly likely that [St. Jude Medical] is being deceptive about the cyber security of its cardiac devices and their knowledge of their existing limitations,” the report said. “Their agenda is to manage the perception of the market in the short term from pessimism to optimism, erode the credibility of the [Muddy Waters] report and present confidence in the face of specific allegations while simultaneously failing (or choosing not) to insert inarguable facts to the contrary.”

Overall, Muddy Waters ultimately explained that it still stands by the original report, and still believes the devices should be recalled.

St. Jude's second response - August 30

Just this morning, St. Jude issued an additional response, holding on to its claim that the devices are safe, and that Muddy Waters is acting in an "irresponsible" manner. The devicemaker once again explained the safeguards in place on their devices, and the actions taken--by both St. Jude Medical and with help from independent and third-party organizations--to ensure the safety of their patients using the devices.

“The allegations made by Muddy Waters and MedSec are irresponsible, misleading and unnecessarily frightening patients,” said Michael Rousseau, president and chief executive officer at St. Jude Medical, in the statement. “We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices. This behavior speaks volumes about the profit-seeking motives and integrity of these organizations.”

St. Jude went on to refute new information presented by Muddy Waters in the form of a video. St. Jude said the video showed a "fundamental lack of understanding" by Muddy Waters and MedSec. The video, St. Jude explained, actually showed a security feature built into the pacemaker called a radio-frequency telemetry lockout.

“The video clearly shows a security feature, not a flaw,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical. "The pacemaker is actually functioning as designed. If attacked, our pacemakers place themselves into a 'safe' mode to ensure the device continues to work, which further proves our commitment to safety and security."

- here's St. Jude's Aug. 25 response and its Aug. 30 response
- here's Muddy Waters's Aug. 29 report and the video released along with it