Days after being acquired by Abbott, St. Jude Medical landed on the wrong end of a very public “I told you so” in January 2017 over a high-profile medical device cybersecurity report.

Given that President Biden’s $1.7 trillion omnibus appropriations bill, which includes significant measures aimed at improving medical device cybersecurity, goes into effect later this month, it seems like a good time to revisit the St. Jude Medical – Muddy Waters controversy.

It all started in August 2016 when a report published by short-seller Muddy Waters Capital and medical device cybersecurity firm MedSec claiming St. Jude’s implantable heart devices could be hacked.

St. Jude vehemently denied the claims and filed a defamation lawsuit against Muddy Waters and MedSec in September 2016. With the company’s $25 billion acquisition by Abbott still pending, some analysts raised concern that the report could jeopardize the deal. St. Jude said it filed the lawsuit to hold the defendants accountable for “false and misleading tactics,” and to “set the record straight” about the security of its devices.

FDA and the Department of Homeland Security ended up investigating the claims made by Muddy Waters and MedSec and confirmed that cybersecurity vulnerabilities did exist with certain St. Jude heart devices and its Merlin@home transmitter. FDA found that the devices could potentially be remotely accessed by unauthorized individuals who could, theoretically, harm patients. For example, an attacker could deplete the battery of an implanted device, alter pacing, or trigger shocks.

The company quickly released a patch to address the cybersecurity vulnerabilities. Unfortunately, the patch was not enough to satisfy the agency because in April 2017 FDA sent Abbott a warning letter instructing the company to submit a plan within 15 days to address previously identified cybersecurity vulnerabilities and other potential safety issues in certain St. Jude Medical heart devices.

“Although I had hoped [St. Jude Medical] would drop its lawsuit after these government disclosures, it did not,” Carson Block, founder of Muddy Waters, said in a legal document filed in August 2017. “Instead, it proposed a settlement that I considered offensive and contrary to public policy.”

The proposed settlement included a provision asking the defendants to agree not to disclose any information, data, or reports about St. Jude or Abbott products to FDA or the Department of Homeland Security (or any other government agency or regulator) independently, without an official request or subpoena for information from such an agency. If the defendants did get a request from a government agency for information about St. Jude Medical or Abbott products, the company would be entitled to a 14-day advanced notice.

“In other words, after our reports sparked federal investigations and resulted in adverse findings, [St. Jude Medical] wanted us to shut up, no matter what defects we discovered, no matter how threatening to patient safety. We could only talk if the government came asking us questions.”

Adding fuel to the fire, Block publicized the provision via Twitter, prompting a court order barring him from making any further settlement discussions public. Block noted that the parties had since been engaged in additional settlement discussions.

Taking the stigma out of medical device cybersecurity

Medical device companies “need to take the stigma out of talking about vulnerabilities” to help healthcare systems address cybersecurity risks, Rob Suárez, BD’s chief information security officer, told MD+DI in a 2021 interview.

BD was among the first medtech companies to develop a mature Coordinated Vulnerability Disclosure program. Also, in 2020, the company launched the BD Cybersecurity Trust Center.

"For BD, being transparent about potential vulnerabilities is essential because customers can't protect what they don't know," Suárez said, explaining that the company launched the trust center to proactively give customers a single source for BD medical device cybersecurity content.

"When cybersecurity vulnerabilities emerge, whether in our products or in third-party components, we provide guidance so customers can manage potential risk properly," he said.

To protect customers and patients, the industry has to create a community of practice, where we’re all working together to advance cybersecurity maturity, Suárez said. It’s also important for healthcare providers to know which initiatives to look for and prioritize when entrusting a medical device manufacturer with patient safety and patient privacy, he added. 

"From mature policies and standards to strong vulnerability and incident management processes and third-party validations, we aim to partner with customers to advance medical device cybersecurity," Suárez said.