- Muddy Waters report Thursday said devices vulnerable to hacks
- Abbott still seeks to advance its $25 billion St. Jude deal
St. Jude Medical Inc. said a report issued by short-seller Muddy Waters LLC that could have derailed its purchase by Abbott Laboratories was “false and misleading,” while Abbott said it remained committed to the $25 billion deal.
“St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” the St. Paul, Minnesota-based company said Friday in a statement. For its part, Abbott said: “We continue to collaborate with St. Jude to advance the transaction.”
Muddy Waters, the research firm founded by Carson Block, took a short position in St. Jude after learning about flaws uncovered by a cybersecurity firm, which it says could allow hackers to tap into implanted devices. The 33-page report sent St. Jude’s shares down 5 percent on Thursday and raised questions about the company’s pending acquisition by Abbott, a deal that was announced in April. St. Jude’s shares pared losses after Friday’s statement, rising 0.2 percent to $78.01.
The report was based on work done by MedSec Holdings Inc., a Miami-based startup that approached Muddy Waters three months ago. According to MedSec, St. Jude’s home monitoring equipment, essentially a transmitter known as Merlin@home that relays data from pacemakers and defibrillators to doctors, was bereft of any standard security precautions, including encryption and authentication.
Muddy Waters said it stands by its analysis and called on St. Jude to take responsibility for its “flawed devices” that pose a risk to their users.
“St. Jude’s response shows that it appears to ignore the nature of the vulnerabilities and the attacks we describe in the report,” the company said in an e-mailed comment. “Its statement offers false assurances that the devices are secure and we intend to publicly refute the company’s desperate attempt to brush the issue aside once again.”
St. Jude disputed the analysis and the findings, saying its devices have numerous protections in place. The company conducts regular risk assessments and performs penetration tests by internal and external experts, St. Jude said. In addition, the system automatically and remotely upgrades all units that are in active use.
The medical device maker also said the wireless communication method it uses is limited to a range of about 7 feet (2.1 meters) once the equipment is implanted inside a patient, far less than the 50-foot radius cited by the report from Muddy Waters and MedSec. An attack to deplete the battery would require continuous pings within this distance for hundreds of hours, essentially requiring a patient to remain immobile for days on end, St. Jude said.
“Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices, i.e. those that have not been updated through the automated remote upgrade process,” the company said. “We want to reassure our patients that our systems meet the highest international security requirements.”
The attack details, and even the vulnerability of St. Jude’s pacemakers and defibrillators, may be irrelevant, said Jason Mills, an analyst with Canaccord Genuity in San Francisco. The U.S. Food and Drug Administration has known about potential risks for years, is working with companies to update their devices and has no precedent for issuing a recall based on cybersecurity concerns, he said. There is no information about the risks of St. Jude devices compared to rival products, and the issue is unlikely to dissuade Abbott, he said.
“There is merit to the claim that you can hack into the Merlin@home,” said Mills, who has often been a critic of St. Jude. “The question comes down to the degree of patient risk. I see a disconnect between the sensational sort of implications around the allegations, which are not necessarily reality. And I don’t think there is a big probability that Abbott is going to walk away.”