In August, Muddy Waters published a report that alleged certain St. Jude Medical devices were susceptible to cytberattacks that placed the safety of patients at risk. Muddy Watters placed a short-selling bet on St. Jude Medical stock after being supplied with details of security vulnerabilities from research firm MedSec. St. Jude Medical has denied that the vulnerabilities exist, while a team of researchers from the University of Michigan have also cast some doubt on methodology used by MedSec, as well as whether the vulnerabilities actually exist and pose a clinical risk.
St. Jude Medical filed a lawsuit in September against both Muddy Waters and MedSec claiming the allegations were manipulative and false. Now almost a month later, Muddy Waters has published videos on a website – Profits Over Patients – highlighting four more flaws in St. Jude Medical cardiac devices. The videos were released to counter “ St. Jude Medical’s attempt to sweep revelations about its extremely poor cybersecurity under the rug through a lawsuit,” and back up the claims that have been made that the cardiac implants are vulnerable to attack.
Since the report was published, St. Jude Medical has announced that it has created a cybersecurity medical advisory board of physicians. The board will help to ensure that ” St. Jude Medical’s cybersecurity protections continue to be innovative without jeopardizing patient care.” St. Jude Medical has already claimed that the company has a long history of working closely with cybersecurity experts to ensure that potential vulnerabilities in its devices are rapidly identified and addressed. According to a statement released by Jt. Jude Medical, “We regularly upgrade and enhance our products and our entire ecosystem to help ensure we are balancing the need to keep ahead of technological threats with the impact on patient care.”
On Monday, Muddy Waters said in a legal filing that external experts have been hired to validate the claims made in the August report. Cybersecurity firm Bishop Fox released a 53-page report which is being used in the defense of the lawsuit filed by St. Jude Medical in the federal court in Minnesota. Bishop Fox has validated the claims made by Muddy Waters that the cardiac devices are susceptible to hacking. In the report, Carl Livitt, a Bishop Fox partner, said “Muddy Waters’ and MedSec’s statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate.”
Bishop Fox claims it was able to replicate four attacks on St. Jude Medical cardiac devices from a range of 3 meters, although it would be possible to conduct those attacks from up to 100M with the right equipment.
Muddy Waters has previously released a statement saying “[St Jude Medical] devices should be recalled and sales halted while the flaws are fixed.” However, while investigations into the alleged vulnerabilities are being conducted, the Food and Drug Administration (FDA) recommends patients continue using the devices as instructed by their physicians as “The benefits of the devices far outweigh any potential cyber security vulnerabilities.” St. Jude Medical continues to maintain that its devices do not have “significant security vulnerabilities.” Muddy Waters plans to document the court case on the Profits over Patients website as it progresses.