St. Jude fires back at Muddy Waters, MedSec: Our medical devices are secure

A theory emerges that the investment and cybersecurity research firms withheld information from St. Jude to short-sell stocks and profit from the bad news about the security of its pacemakers and heart devices. 
By Jack McCarthy
10:19 AM

St. Jude Medical is fighting against allegations by investment firm Muddy Waters Capital and security researcher MedSec that its pacemakers and other heart devices are vulnerable to hacking and other cybersecurity threats.

“St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” the company said.  

Muddy Waters on Monday, meanwhile, called St. Jude’s response 20 percent substance and 80 percent fluff.

“There are no changes to MedSec or our conclusions about the lack of security in the STJ device ecosystem and our belief in the need for recall and remediation,” Muddy Waters countered.

[Special Report: Ransomware to get worse, hackers target whales, medical devices and IoT open new vulnerabilities]

One potential motivation for Muddy Waters Capital’s statements, Bloomberg reported, appears to be profiting in the wake of bad news about the device’s security problems.

“MedSec suggested (to Muddy Waters Capital) an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with (Muddy Waters) taking a short position against St. Jude,” according to Bloomberg. “The hackers’ fee for the information increases as the price of St. Jude’s shares fall, meaning both Muddy Waters and MedSec stand to profit.”

What’s more, MedSec CEO Justine Bone said that St. Jude has known about security problems for three years.

“It is apparent from the lack of security protections or mechanisms in their product line that very little action has been taken,” Bone said.

Muddy Waters added that St. Jude’s heart devices, such as its defibrillators and pacemakers, are vulnerable when the device’s system is crashed and when the battery of the device is drained.

As the Wall Street Journal reported, though, Muddy Waters is known for shorting stocks.

And St. Jude maintained that its software has been evaluated and assessed by several independent organizations and researchers including Deloitte and Optiv.


Sign up for the Healthcare IT News Privacy & Security Update newsletter.


Following the allegations last week, St Jude Medical shares closed down 4.96 percent. By Monday, shares in the company rose slightly, by .31 percent. The medical device maker agreed in April to sell itself for $25 billion to Abbott Laboratories.

White Hat hacker Josh Corman, a member of the U.S Department of Health and Human Services Cybersecurity Task Force, told Politico that he found the report nerve-wracking.

“Cybersecurity in the whole industry is terrible. This isn’t the only company with problems,” Corman said. “This will raise questions and awareness, which may be good, but it will also create an adversarial relationship. It could be overly worrisome to patients and serve as an advertisement to adversaries.” 

Twitter: @HealthITNews


Like Healthcare IT News on Facebook and LinkedIn