St. Jude heart device security under fire again

MedSec and Muddy Waters reveal that security vulnerabilities can weaponize pacemakers.
By Jessica Davis
12:47 PM

St. Jude Medical is facing new allegations that its heart devices are vulnerable to cyberattacks. Muddy Waters and security firm MedSec included the claims as part of its defense of St. Jude’s defamation lawsuit filed against the companies in September.

The companies submitted a legal filing that stated St. Jude’s implanted heart devices are vulnerable to attack and put patients at risk. Security firm Bishop Fox compiled the report and presented it as evidence to the federal court hearing the case in Minnesota.

The report reiterated Muddy Waters’ and MedSec’s original statements regarding St. Jude’s implant ecosystem, and stated the claims were ‘by and large, accurate.’

In regards to the implantable cardiac device ecosystem, the report author Carl Livitt said: “The security measures I observed do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients.”

Specifically, the wireless protocol for St. Jude’s cardiac devices used to communicate to the device has serious vulnerabilities - including the ability to make the pacemaker into a weapon by disabling therapeutic care and delivering shocks to patients at distances of up to 10-feet, Livitt explained.

This latest accusation is part of the ongoing St. Jude lawsuit filed in response to allegations its medical devices were vulnerable to cyberattack due to security issues.

In MedSec’s and Muddy Waters’ initial report, successful attacks could drain battery life or manipulate pacemaker beat rates. In doing so, St. Jude’s stock plummeted.

If St. Jude is to be believed, Muddy Waters and MedSec issued these false warnings to intentionally drop the value of St. Jude’s stock and profit from a short-selling scheme. Investors sell the stock they believe will soon lose value, which allows investors to buy them back at a lower price and make a profit.

St. Jude has vehemently denied all of the accusations and stand by the safety of its devices. In response to the most recent allegations, officials continue to defend the devices:

“Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St. Jude Medical devices. This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry.

Patients, physicians, and caregivers deserve better than the irresponsible release of information that is intended for financial gain and is unnecessarily frightening.”

St. Jude recently  formed a Cyber Security Medical Device Advisory board to ensure cybersecurity protocols are both effective and protect patients’ lives.

Muddy Waters launched Profits over Patients this month, a website that documents the court case as it unfolds. The site also contains videos that reportedly demonstrate the findings of both reports. 


 Medical devices will be among the topics experts discuss at the HIMSS and Healthcare IT News Privacy & Security Forum in Boston, Dec. 5-7, 2016. What to expect: 
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks

⇒ Security budgets grow but breaches continue unless hospitals adopt best practices
⇒ Think offshoring PHI is safe? You may not be covered if a business associate breaches data


Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.