St. Jude issues patch for heart device cyber vulnerabilities

Dive Brief:

Months after the FDA launched an investigation of possible cyber vulnerabilities with St. Jude Medical heart implants, the company is deploying a software patch to mitigate the “extremely low” risk a hack could occur.
The company said it has issued seven software updates for the [email protected] transmitter over the past three years and would start implementing the latest patch immediately.
An FDA safety alert, issued Monday, says the agency has reviewed information regarding possible attacks on St. Jude’s [email protected] Transmitter and believes the vulnerabilities could allow unauthorized access to a patient’s RF-enabled cardiac implant.

Dive Insight:

The FDA began looking into cyber vulnerabilities with St. Jude devices in August after short-seller Muddy Waters and cybersecurity firm MedSec claimed the devices were easy targets for cyber criminals, putting patients’ lives at risk. On Monday, Muddy Waters issued a statement to say the newly released patch “vindicates” those claims.

On the other hand, the FDA stressed that no unauthorized breaches to the company’s devices have been reported and that the devices’ benefits to patients outweigh the cybersecurity risks. A separate advisory was issued by the Department of Homeland Security.

While St. Jude shares did take a beating do to the claims of cyber vulnerabilities, dropping more than 8% following the controversial report, it didn’t stop Abbott’s $25 billion acquisition of the St. Paul, MN, devicemaker, which closed last week. The deal creates one of the world’s largest cardiovascular device enterprises. Combined, their cardiovascular and neuromodulation portfolios boast annual sales of about $8.7 billion.

Meanwhile, St. Jude continues to pursue a defamation lawsuit against Muddy Waters and MedSec.