St. Jude Medical Could Have a Major Cybersecurity Problem

Activist investment firm Muddy Waters Capital says cybersecurity vulnerabilities in implantable St. Jude Medical cardio devices are "orders of magnitude more worrying."

Chris Newmarker

St. Jude Medical's stock was down nearly 5% Thursday after an activist investor firm announced it was shorting St. Jude after discovering serious cybersecurity flaws in the company's cardio devices. 

Muddy Waters Capital says it learned of the cybersecurity problems after being contacted by research outfit MedSec, which conducted an assessment of major manufacturers' pacemakers and implantable cardioverter defibrillators. MedSec researchers say there were stunned by the lack of security in St. Jude devices. 

"We have conducted deep research on the entire medical device industry for over 18 months and the vulnerabilities we discovered at St. Jude were appalling to us when compared to other medical device makers," Justine Bone, director and CEO of MedSec, said in a news release. 

"St. Jude may try to attack the messenger here, but in our opinion this company has decided to put profits ahead of security and these issues need to be fixed immediately," said Carson Block, founder and chief investment officer at Muddy Waters. "St. Jude's apparent lack of device security is egregious, and in our view, likely a product of years of neglect. Moreover, St. Jude's devices were the subject of a U.S. Department of Homeland Security investigation into cybersecurity flaws in 2014, yet these gaping holes seem to persist."

Phil Ebeling, St. Jude Medical's chief technology officer, responded in a company statement that the allegations in the report were absolutely untrue.

Muddy Waters and MedSec mentioned demonstrations of two types of attacks against St. Jude implantable cardiac devices: a "crash" attack leading to device malfunction or even pacing at a dangerous rate, and a battery drain attack. The weak spot in St. Jude's device ecosystem is its Merlin@home home monitoring systems, which Muddy Waters and MedSec described as "keys to the castle."

The groups said in their report: "These units are readily available on Ebay, usually for no more than $35. Merlin@homes

generally lack even the most basic forms of security, and as this report shows, can be exploited

to cause implanted devices to malfunction and harm users."

St. Jude Medical said in its statement: "There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin @home and on all our devices."

Only recently have medical device manufacturers made cyber security a key product design requirement, previously believing that placing the device behind a hospital firewall would provide enough protection, says Anthony James, vice president of products for TrapX Security.

"Hospitals and healthcare institutions continue to be caught in the increasing wave of cyberattacks that reached record levels in 2015 and continue unabated in 2016. These days, sophisticated attackers are using ransomware, medical device hijack (MEDJACK) and many other advanced techniques to penetrate healthcare networks and the connected medical devices," James said.

Chris Newmarker is senior editor of Qmed. Follow him on Twitter at @newmarker.

Like what you're reading? Subscribe to our daily e-newsletter.

[Sinister hands on keybord image by User:Colin / Wikimedia Commons, CC BY-SA 4.0]