News Feature | September 8, 2016

St. Jude Medical Refutes Report Its Devices Are Vulnerable To Cyberattacks

Christine Kern

By Christine Kern, contributing writer


Stocks drop after Muddy Water publishes findings of “negligent product design.”

Short selling firm Muddy Waters Capital published a report alleging St. Jude Medical’s cardiac devices are vulnerable to cyberattacks resulting in the company’s stock prices falling more than 8 percent, according to CNBC. The report found St. Jude Medical had been “grossly negligent” in producing the devices.

Carson Block of Muddy Waters Capital told CNBC “This isn't an oversight or small little hole that you have to look very hard to find. These are gaping holes. This is a company that will ultimately be held to be grossly negligent.”

“The allegations are absolutely untrue,” Phil Ebeling, St. Jude's chief technology officer told Bloomberg. “There are several layers of security measures in place.”

The findings were produced by cybersecurity firm MedSec, which reportedly took them to Muddy Waters rather than St. Jude Medical because, in the past, the medical device maker had been unresponsive to security concerns. MedSec CEO Justine Bone told Closing Bell, “We have not seen St. Jude raise the bar, unlike some of their competitors who have put some basic protections in place.”

However, St. Jude Medical has vehemently challenged the findings, stating, “The report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”

The Muddy Waters advocated the recall and remediation of St. Jude’s cardiac devices, and suggested the company could face protracted litigation for gross negligence with an estimated $6.4 billion in potential damages. The report argued St. Jude's cardiac devices are vulnerable to two types of cyber attacks that can be exploited by low-level hackers, including methods to cause malfunction and to cause battery drain.

St. Jude stated, “The flawed test methodology on outdated software demonstrates fundamental lack of understanding of medical device technology,” refuting claims the system could be impaired, and said claims of remote batter depletion were “misleading.”

The company statement assured, “Patient safety has always been our top priority and we have every reason to believe our devices are safe. Because we recognize cybersecurity is a concern for patients, it is also a priority for St. Jude Medical. We have a dedicated resource on reinforcing our commitment to product and information security on our website.”