New videos detail alleged St. Jude Medical security vulnerabilities


A new website containing videos that claim to show additional cybersecurity vulnerabilities of St. Jude Medical cardiac tools is the latest salvo in a showdown between the device maker and the duo of investment firm Muddy Waters and security research firm MedSec Holdings.

The site’s Oct. 19 launch comes nearly two months after a report published by Muddy Waters and MedSec revealed St. Jude devices to be prone to hacking attacks. In the report, Muddy Waters sold short on St. Jude stock.

St. Jude responded by filing a lawsuit in early September against the pair, calling the accusations false and manipulative. A spokesperson for Muddy Waters then told the Wall Street Journal that it stood by its report, saying that St. Jude is trying to “silence its critics.”

St. Jude responded to the new videos in a statement on its website, calling them “unverified” and saying that it stands behind the security of its devices.

“For years, we have been proactively working to identify, understand and address potential cybersecurity vulnerabilities--a commitment that is institutionalized within our company,” St. Jude said. “We seek input and collaborate with regulators, medical experts, leading independent researchers and cybersecurity experts to continuously strengthen our devices and systems. We regularly upgrade and enhance our products and our entire ecosystem to help ensure we are balancing the need to keep ahead of technological threats with the impact on patient care.”

On the Muddy Waters-MedSec site, the entities note that an answer to St. Jude’s lawsuit is forthcoming.

The U.S. Food and Drug Administration told HealthcareInfoSecurity in a statement that it has seen the videos and is working with the Department of Homeland Security to examine the issues. The agency recommended that patients continue using such devices as directed, saying that the benefits “far outweigh any potential cybersecurity vulnerabilities.”

At AdvaMed 2016 in Minneapolis earlier this week, Seth Carmody, a cybersecurity project manager with the FDA, told healthcare executives in attendance that his agency and manufacturers must work together to fix security flaws in medical devices.

Earlier this month, Johnson & Johnson proactively issued a warning that its J&J Animas OneTouch Ping insulin pump is vulnerable to hacking attacks, although in letters to patients and providers, the company called the probability of such attacks “extremely low.”