Are St. Jude Medical's Devices Secure? FDA Wants to Know

FDA is promising a "thorough investigation" of Muddy Waters's allegations against St. Jude Medical.

Maureen Kingsley

It is the latest in the unfolding story involving medical device manufacturer St. Jude Medical, activist investment-research firm Muddy Waters, and cybersecurity firm MedSec Holdings: FDA plans a "thorough investigation" of allegations Muddy Waters and MedSec have made about security vulnerabilities in St. Jude's cardiac devices.

"Regardless of the way a vulnerability comes to our attention, we take those allegations very, very seriously," Suzanne Schwartz, FDA's official responsible for cybersecurity, recently told Reuters. "We are putting all of our focus on making sure that we have an understanding of what these allegations are and do a thorough investigation of the claims."

An FDA spokesperson adds to Qmed that the agency is working with the Department of Homeland Security to investigate the findings of the report. As for patients with the cardio devices, they should talk with their doctors if they have questions or concerns.

Muddy Waters Research on August 25 announced its prediction that St. Jude Medical's shares would fall, claiming that "close to half of [the medical device company's] revenue is about to disappear for approximately two years," based on information provided to the research firm by cybersecurity company MedSec Holdings. "[St. Jude Medical's] pacemakers, ICDs, and CRTs might--and in our view, should--be recalled and remediated," Muddy Waters announced on its website and in a downloadable report, explaining that the cardiac devices in question collectively made up 46% of St. Jude Medical's 2015 revenue.

"Based on conversations with industry experts, we estimate remediation would take at least two years," the online statement reads.

Those aforementioned "industry experts," individuals at MedSec Holdings, believe that St. Jude Medical's pacemakers and defibrillators have cybersecurity flaws that hackers could potentially exploit to harm patients. Muddy Waters even posted a MedSec video that allegedly demonstrates cybersecurity vulnerabilities of a St. Jude Medical pacemaker.

St. Jude Medical's stock fell about 5% in value after the accusations were made; the stock has yet to fully recover. 

For its part, St. Jude Medical has filed a lawsuit against Muddy Waters, MedSec Holdings, and three individual defendants who are principals in these firms for "false statements, false advertising, conspiracy, and the related manipulation of the public markets in connection with St. Jude Medical's implantable cardiac management devices," according to a press statement released by the company. "With this action, St. Jude Medical seeks to hold these firms and individuals accountable for their false and misleading tactics, to set the record straight about the security of its devices, and to help cardiac patients and their doctors make informed medical decisions about products that enhance and save lives every day," the press statement adds.

St. Jude Medical officials are pointing to a University of Michigan study that failed to reproduce Muddy Waters and MedSec's findings.

FDA Joins the Fray

FDA began its investigation of the matter in late August. It was reportedly unprecedented for a cybersecurity researcher to publicize claims about cyber bugs as part of a short-selling strategy; this approach also goes against advice that FDA issued in January in draft guidelines for dealing with cybersecurity vulnerabilities in medical devices. "It's important to note that FDA encourages cybersecurity researchers to work directly with manufacturers and the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) when potential vulnerabilities are identified," a spokesperson for FDA told Qmed. "In fact, a key component of our draft guidance on postmarket medical device cybersecurity is establishing and supporting formal policies for coordinated vulnerability disclosure, in which manufacturers and cybersecurity researchers work together openly in a trusted environment to identify, assess and remediate cybersecurity vulnerabilities before they can harm patients. This collaborative information sharing, disclosure and risk assessment enables all stakeholders to better address device safety."

FDA's Schwartz told Reuters that she hoped others would not follow the approach taken by Muddy Waters and MedSec.

Maureen Kingsley is a contributor to Qmed. 

Like what you're reading? Subscribe to our daily e-newsletter.

[Sinister hands on keybord image by User:Colin / Wikimedia Commons, CC BY-SA 4.0]