In late August, short-selling investment firm Muddy Waters issued an alarming report claiming that St. Jude Medical’s pacemakers, ICDs, and CRTs “should be recalled or remediated” for what it determined were cybersecurity vulnerabilities.
In the report, the firm said, “We have seen demonstrations of two types of cyberattacks against STJ implantable cardiac devices: a “crash” attack that causes cardiac devices to malfunction — including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users.” In its report Muddy Waters further asserted that despite having no background in cybersecurity, it had been able to replicate in-house key exploits that help to enable these attacks.
Within days of Muddy Waters report, independent researchers at the University of Michigan attempted to replicate the findings, but were unable to do so and said that the report “has major flaws of its own.” The team is composed of several leading medical device security researchers and a cardiologist from the U-M Health System’s Frankel Cardiovascular Center. In reproducing the experiments that led to the allegations, the U-M researchers said that they came to “strikingly different conclusions.”
The U-M team said that the error messages the report cites as evidence of a successful “crash attack” into a home-monitored implantable cardiac defibrillator “are the same set of errors that display if the device isn’t properly plugged in.”
If such a major allegation can be checked — and then discredited — so easily, it is easy to question the motivation behind publishing such a report.
“The report is inconclusive because the evidence does not support their conclusions,” said Kevin Fu, U-M associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security. Fu is also co-founder of medical device security startup Virta Labs.
Fu goes on to say that “to the armchair engineer [the error] may look startling, but to a clinician it just means you didn’t plug it in. “In layman’s terms, it’s like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard.”
As expected, St. Jude swiftly fired back at Muddy Waters with a lawsuit “for false statements, false advertising, conspiracy, and the related manipulation of the public markets in connection with St. Jude Medical’s implantable cardiac management devices,” citing the findings of the U-M researchers in their complaint.
St. Jude’s stock fell sharply when the report was issued. Its lawsuit alleges that Muddy Waters “intentionally disseminated false and misleading information in order to lower the value of St. Jude Medical’s stock and to wrongfully profit from a drop in share value through a short-selling scheme.”
For the sake of the many patients who rely on these critical medical devices, let’s hope for a quick resolution to this very sad turn of events and a lesson learned for anyone else who may be tempted to make such claims without the expertise to back them up.
Sherrie Trigg, Editor