Medical-device manufacturer St. Jude Medical has come out swinging against allegations that its pacemakers and other devices are vulnerable to hacks.
A report published Aug. 25 by short-selling investment firm Muddy Waters and cybersecurity company MedSec Holdings claims that St. Jude's cardiac devices, particularly its Merlin@Home Transmitter, “lack even the most basic forms of security.” The analysis states that its devices lack hardware identify protection, encrypted software and anti-debugging mechanisms.
St. Jude officials have consistently denied the allegations since the report published.
In a prepared statement on Tuesday, President and CEO Michael Rousseau said: “The allegations made by Muddy Waters and MedSec are irresponsible, misleading and unnecessarily frightening patients. We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices. This behavior speaks volumes about the profit-seeking motives and integrity of these organizations.”
St. Jude also criticized a video released Monday by Muddy Waters and MedSec that shows a hacker “crash” a pacemaker.
The company said the video actually demonstrated how a security feature on the pacemaker functions. “The pacemaker is actually functioning as designed,” said Phil Ebeling, VP and chief technology officer at St. Medical, in a statement.
An independent report published Tuesday by the University of Michigan found flaws in the analysis by Muddy Waters and MedSec.
The U-M researchers reproduced experiments that led to the allegations and came to “strikingly different conclusions,” according to a news release.
For example, Muddy Waters and MedSec photograph error messages from a defibrillator device, claiming that these messages are proof of a security breach. The U-M researchers found that the error messages appear to indicate when a defibrillator isn't working properly and the device is actually performing correctly.
U-M also questioned Muddy Waters short-selling interest in St. Jude Medical, providing a financial incentive if St. Jude's stock depreciates.
In a prepared response to the U-M report, a Muddy Waters spokesman said, “It's is no surprise the University of Michigan was inconclusive about our research given that we deliberately didn't publish detailed information on the vulnerabilities, exploits or attacks on the devices in order to avoid giving the playbook to potential hackers.”
The allegations against St. Jude devices come as Abbott Laboratories prepares to buy the devicemaker for $25 billion. Abbott Labs spokeswoman Darcy Ross said in a statement that the deal will continue despite the report.
St. Jude stock fell 5% after the report was released last week from $81.88 a share to $77.82 a share. On Wednesday afternoon, its stock was selling at $77.60 a share.
The St. Paul, Minn.-based company has a market value of $22.1 billion. In its second quarter, St. Jude reported $1.5 billion in net sales, a 10.8% increase from the same quarter a year ago.