Muddy Waters, MedSec Again Attack St. Jude Over Cybersecurity

New videos purport to show how company programmers made it easy for hackers to attack cardiac implants and pacemakers.

Nancy Crotti

Investment firm Muddy Waters and security research company MedSec have fired another salvo against St. Jude Medical in their battle over the alleged vulnerability of St. Jude's implantable cardiac devices.

The duo put up a video (see above) on the website Profits Over Patients, with ominous music playing while a middle-aged man in a darkened conference room talks about cybersecurity issues that they say put hundreds of thousands of patients in danger from hackers.

The video focuses on alleged new security vulnerabilities that Muddy Waters and MedSec claim were built into St. Jude's Merlin@home home monitoring systems. They maintain that Merlin monitors can issue programmer commands over radio frequencies, such as giving emergency shocks and turning off therapy from patients' cardiac implants.

They further claim that programmer's code sits on a removable, unencrypted hard drive in the device inside the Merlin that can be plugged into a hacker's computer, and that a hacker could easily figure out the code and broadcast it to nearby patients over hacked Merlins. Another video on the site shows how hackers can exploit these alleged vulnerabilities.

"St. Jude Medical software developers left hackers a treasure trove of debugged symbols and other reverse engineering tools to serve as an illustrated map of available functionality," the man on the video says.

St. Jude, which has sued both firms and three of their principals, fired back in a statement, adding that it stands by the safety and security of its devices.

"Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St. Jude Medical devices," the company said. "This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry. We take this matter very seriously and will once again work to quickly evaluate this new information."

The company also said it has been "proactively working to identify, understand and address potential cybersecurity vulnerabilities" for years, consulting with regulators, medical experts, independent researchers and cybersecurity experts to continuously strengthen its devices and systems.

"We regularly upgrade and enhance our products and our entire ecosystem to help ensure we are balancing the need to keep ahead of technological threats with the impact on patient care," the company said, adding that it is forming a "Cyber Security Medical Advisory Board of leading physicians to help ensure that St. Jude Medical's cyber security protections continue to be innovative without jeopardizing patient care."

St. Jude stock has dipped 2% over the past month, but Abbott CEO Miles White said he expects the $25 billion deal to close by the end of the year, according to a report in The Street.

Nancy Crotti is a is a contributor to Qmed.

Like what you're reading? Subscribe to our daily e-newsletter.