St. Jude devices vulnerable to cyberattack say Muddy Waters, MedSec

Cybersecurity

After uncovering cybersecurity vulnerabilities with St. Jude Medical cardiac devices, security research firm MedSec shared its findings first with investment firm Muddy Waters Capital as part of a deal that, so far, appears to be helping the companies profit off of the device maker’s adversity.

Muddy Waters, after receiving the information, published a report Thursday in which it sold short on St. Jude, according to Bloomberg. The more Muddy Waters investors profit on the news, the more money MedSec earns, the article notes. Shares of St. Jude Medical plummeted close to 4 percent by the end of the day Thursday.

 

The report rails on St. Jude for troubling cybersecurity vulnerabilities that are easily exploitable. In a statement explaining MedSec’s actions posted to the company’s website, CEO Justine Bone says that St. Jude has profited for years on devices with “little to no built-in security.

“We believe St. Jude Medical has known about security problems in their products since at least 2013, but it is apparent from the lack of security protections or mechanisms in their product line that very little action has been taken,” Bone said.

Furthermore, Bone told Bloomberg that MedSec believed St. Jude “would sweep this under the rug” or become embroiled in “a hush litigation situation” in which patients were oblivious to the details of the poor security. MedSec and Muddy Waters plan to inform the U.S. Food and Drug Administration of the vulnerabilities, according to the article.

In a letter posted to MedSec’s website, Hemal Nayak, an electrophysiologist and assistant professor of medicine at the University of Chicago Medicine, tells his patients who use implanted St. Jude cardiac electronic devices to discontinue home monitoring. Nayak also serves on MedSec’s board of directors.

Reacting to the news, Josh Corman, director of the Atlantic Council’s Cyber Statecraft Initiative, told Politico Pro’s Morning eHealth that the situation, while raising awareness, also could “create an adversarial relationship between cybersecurity firms and medical device companies.

St. Jude Chief Technology Officer Phil Ebeling called the claims in the report “absolutely untrue,” according to CNN.

Suggested Articles

Consumers could have saved billions in 2017 if price variation for certain services was addressed, according to a new report. 

Officials announced on Friday a proposal to remove healthcare protections for transgender patients and women seeking to terminate pregnancies.

The American Medical Informatics Association says ONC's proposed rule doesn't go far enough to put patients and providers in the driver's seat…