St. Jude Medical, the global medical device manufacturer accused of having security flaws in its pacemakers and defibrillators, is fighting back against the allegations made by a research firm and cybersecurity company.
The Little Canada, Minnesota-company issued a lengthy response four days after the claims were made in a 33-page report from Muddy Waters Capital LLC and MedSec Holdings.
“We have examined the allegations made by (Muddy Waters) Capital and MedSec on August 25, 2016, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading,” the company stated. “Our top priority is to reassure our patients, caregivers and physicians that our devices are secure, and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”
The allegations made by Muddy Waters Capital in a report to investors last week rocked the medical devices industry and Wall Street because Carson Block, head of Muddy Waters, announced the firm was short-selling the St. Jude Medical stock because of the alleged security risks, and called for the equipment to be recalled and sales of the devices to be stopped until changes could be made.
“The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction,” Block said in an interview that was included in a Bloomberg story about his firm’s claims. The company “should stop selling these devices until it has developed a new secure communication protocol.”
Muddy Waters said MedSec raised the concerns with it three months ago. The company, which includes several hackers such as CEO Justine Bone, told Muddy Waters it had been trying to find security flaws in medical devices from major manufacturers and determined that the St. Jude products had an “astounding” level of problems, according to the Bloomberg story.
In what Reuters described as an “unusual deal,” Block hired MedSec as a consultant and agreed to pay a percentage of profits from investments in St. Jude Medical as well as a fee for the research. The two firms said the biggest vulnerabilities were found in a device called Merlin@home™,which is supposed to read data from the pacemaker or defibrillator and transmit to a doctor’s office.