- St. Jude Medical lashed out at investment firm Muddy Waters Capital and cybersecurity research firm MedSec, saying allegations its pacemakers, defibrillators and other devices are vulnerable to hacking are false and misleading.
- St. Jude Medical saw its shares drop after a report by Muddy Waters Capital said the firm was selling short the devicemaker's stocks because of the finding.
- The move could signal a new tack for getting healthcare companies to invest more in cybersecurity — by raising serious questions about vulnerability.
In a press release issued Tuesday, St. Jude President and CEO Michael Rousseau maintained its devices are secure and accused Muddy Water and MedSec of “unnecessarily frightening patients.”
Officials pointed out that a video released by the two firms to purportedly showing a crash of a St. Jude device actually depicted the Radio Frequency Telemetry Lockout security feature on St. Jude pacemakers.
“The video clearly shows a security feature, not a flaw,” said Phil Ebeling, vice president and chief technology officer at St. Jude. “The pacemaker is actually functioning as designed. If attacked, our pacemakers place themselves into a ‘safe’ mode to ensure the device continues to work, which further proves our commitment to safety and security.”
Mandeep Khera, chief marketing officer at Arxan Technologies, told Politico that an industrywide review would probably find 80% of devicemakers have similar problems to those cited by Muddy Water and MedSec. “Singling [St. Jude] out is not fair unless you publish a report that lists every single company,” he said.
One theory posits MedSec and Muddy Waters set out to profit from withholding information over poor cybersecurity of the devices from St. Jude and the resulting short sell, Healthcare IT News reported. MedSec’s compensation for the security review was tied to the stock trade.