- St. Jude Medical Center recently responded to allegations that medical device security flaws exist in its pacemakers and other heart devices, calling the accusations “false and misleading.”
Muddy Waters Capital LLC released a report saying that certain St. Jude cardiac devices have cybersecurity vulnerabilities that are “more worrying than the medical device hacks that have been publicly discussed in the past.”
The devices could also be attacked within a 50 foot radius, according to the report. These medical device security issues “are made possible by the hundreds of thousands of substandard home monitoring devices [St. Jude] has distributed.”
“The STJ ecosystem, which consists of Cardiac Devices, STJ’s network, physician office programmers, and home monitoring devices, has significant vulnerabilities,” Muddy Waters explained in a report summary. “These vulnerabilities highly likely could be exploited for numerous other types of attacks.”
Muddy Waters had said in its report that St. Jude’s pacemakers, ICDs, and CRTs collectively represent 46 percent of the company’s revenue. The devices should be recalled and remediated, which Muddy Waters predicted would cause close to half of St. Jude’s revenue to disappear in its recommended two year remediation period.
In response, St. Jude said that patient security and safety has always been a top priority, and that claims put forth the Muddy Waters report are untrue.
At St. Jude Medical, we work with third-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for our data and devices as part of our product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts.
The accusations that devices can be hacked within 50 feet are false, St. Jude explained. Specifically, wireless communication has an approximate 7-foot range once a device is implanted into a patient.
“To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient,” the statement reads. “In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.”
Furthermore, St. Jude questioned the methodology Muddy Waters used in determining that the company’s system could be impaired similarly to how a computer crashes. The screen shot used in the report shows a fully functioning device, according to St. Jude. There are many inconsistencies in this aspect of the report and there is little detail on how the simulation was conducted.
“Muddy Waters also makes numerous unsubstantiated statements that are speculative with no evidence shown to prove the claims such as an ability to impersonate any SJM device, reverse engineering to create a pocket-size programmer, and a large-scale attack through the Merlin network,” St. Jude wrote.
The company added that it supports full disclosure, and works with healthcare industry information sharing groups such as NH-ISAC and ICS-CERT.
“Patient safety has always been our top priority and we have every reason to believe our devices are safe. Because we recognize cybersecurity is a concern for patients, it is also a priority for St. Jude Medical,” St. Jude maintained. “We have a dedicated resource on sjm.com reinforcing our commitment to product and information security on our website.”
St. Jude stock slipped 5 percent after the Muddy Waters report was released, according to the Wall Street Journal. The stock also fell an additional 2.6 percent on Friday before St. Jude responded.