Muddy Waters Keeps Hammering St. Jude on Cybersecurity

Nancy Crotti

October 24, 2016

4 Min Read
Muddy Waters Keeps Hammering St. Jude on Cybersecurity

The investment firm says a third-party cybersecurity expert's report backs up their claims that St. Jude Medical's pacemakers and defibrillators are vulnerable to cyber attacks.

Nancy Crotti

The investment and security firms that claim St. Jude Medical's cardiac rhythm devices are vulnerable to cyberattack are claiming their actions are protected by the First Amendment.

In their answer to St. Jude's federal lawsuit, defendants Muddy Waters Capital, cybersecurity outfit MedSec, and three principals in the firms produced an independent cybersecurity expert's report that largely confirms their original allegations.

They also denied St. Jude's claimsthat Muddy Waters and MedSec sought to wrongly profit from a short-selling scheme by spreading false and misleading claims about the security of St. Jude's pacemakers and defibrillators in order to lower the value of the medical device company's stock.

"Muddy Waters' research, which it provides for free, has helped regulators with at least nine investigations of public companies, resulting in four de-listings from national stock exchanges, recovery of tens of millions of dollars in fines from public companies, and more than $100 million in payment to investors," the firms and executives claim in their answer.

The defendants also state that St. Jude's request for an injunction against them constitutes prior restraint that would prohibit "speech on matters of public concern... (and) endangers the lives and risks the health of thousands of unsuspecting consumers."

The counterclaim also includes a lengthy statement by independent cybersecurity consulting firm Bishop Fox, which assembled a team to attempt to evaluate MedSec's research on four parts of the St. Jude cardiac device ecosystem: a PCS programmer, used by physicians to configure cardiac devices by setting parameters such as pacing rate, to issue emergency shocks, and to configure therapeutic settings that control how ICDs respond to abnormal cardiac activity; an inductive wand that the programmer uses to "wake up" cardiac devices prior to communicating with them; a Merlin@home home monitoring system; an implantable cardioverter defibrillator; and a pacemaker.

"The security measures I observed do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients," writes Carl Livitt, a partner in Bishop Fox. "In particular, the wireless protocol used for communication amongst St. Jude Medical cardiac devices has serious security vulnerabilities that make it possible to convert Merlin@home devices into weapons capable of disabling therapeutic care and delivering shocks to patients at distances of 10 feet, a range that could be extended using off-the-shelf parts to modify Merlin@home units."

In late August, Muddy Waters published research notes claiming the company's cardiac devices are more vulnerable to cybersecurity attacks and should be recalled. St. Jude was not made aware of the research findings before publication. Muddy Waters shorted St. Jude stock and MedSec was reportedly expected to also receive financial compensation from the profits.

Last week, Muddy Waters and MedSec released more videos on the website Profits Over Patients, alleging that new security vulnerabilities were built into St. Jude's Merlin@home home monitoring systems for patients with implanted cardiac devices. They maintain that Merlin monitors can issue programmer commands over radio frequencies, such as giving emergency shocks and turning off therapy from patients' cardiac implants.

The latest video further claims that programmer's code sits on a removable, unencrypted hard drive in the device inside the Merlin that can be plugged into a hacker's computer, and that a hacker could easily figure out the code and broadcast it to nearby patients over hacked Merlins. Another video on the site shows how hackers can exploit these alleged vulnerabilities.

Despite St. Jude's recent woes, Abbott CEO Miles White recently reiterated his company's intention to complete its purchase of St. Jude.

Nancy Crotti is a contributor to Qmed.

Like what you're reading? Subscribe to our daily e-newsletter.


About the Author(s)

Nancy Crotti

Nancy Crotti is a frequent contributor to MD+DI. Reach her at [email protected].

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like