Hacking vulnerability allegations spawn St. Jude Medical suit, FDA investigation

St. Jude Medical announced it will sue four entities and three individuals involved in making allegations that its pacemakers and implantable cardioverter defibrillators with remote monitoring capabilities are at risk for being hacked.

The company decried the allegations, which the FDA confirmed to Cardiology Today that it is investigating, as “false and misleading.”

The response was to an announcement by Muddy Waters Capital LLC that the firm is shorting St. Jude Medical’s stock based on findings from MedSec, a cybersecurity firm, because “there is a strong possibility that close to half of [St. Jude Medical’s] revenue is about to disappear for approximately 2 years. [St. Jude Medical’s] pacemakers, ICDs and [cardiac resynchronization therapy devices] might — and in our view, should — be recalled and remediated.”

“The FDA is aware of the allegations and concerns raised in MedSec’s public report, and we are working with the Department of Homeland Security to investigate the findings of the report,” Angela Stark, FDA press officer, told Cardiology Today. “At the present time, patients should continue to use their devices as instructed and not change any implanted device. The FDA will provide updates as we learn more. In the interim, if a patient has a question or concern, they should talk with their doctor.”

In the press release announcing the suit, St. Jude Medical stated the defendants are being sued for “false statements, false advertising, conspiracy and the related manipulation of the public markets in connection with St. Jude Medical’s implantable cardiac management devices.”

According to the release, the defendants are Muddy Waters Consulting LLC, Muddy Waters Capital LLC, MedSec Holdings Ltd., MedSec LLC and three individuals.

The initial announcement from Muddy Waters stated that the firm has seen two types of cyber-attacks against St. Jude Medical devices with remote monitoring demonstrated: One causing the device to “crash” and pace “at a potentially dangerous rate,” and the other draining the battery. The firm released a second announcement after St. Jude Medical’s initial response.

St. Jude Medical stated in its initial press release that the report’s claim that batteries can be depleted at a 50-foot range is false because after implantation, the devices’ wireless communication range is approximately 7 feet, and that the “crashing” report “has little detail on this simulation and includes many inconsistencies.”

“Our top priority is to reassure our patients, caregivers and physicians who use our lifesaving devices that we are committed to the security of our products and to ensure our patients and their doctors maintain ongoing access to the proven clinical benefits of remote monitoring,” Mark Carlson, MD, vice president and chief medical officer of St. Jude Medical, said in the release announcing the lawsuit. “We decided to take this action because of the irresponsible manner in which these groups have acted.”

Stark from the FDA told Cardiology Today that “in managing cybersecurity threats, the FDA encourages manufacturers to stay vigilant and correct vulnerabilities with their products in a proactive manner. In addition, the FDA has and continues to coordinate among device manufacturers, other government agencies, health care delivery organizations and security researchers to detect and fix vulnerabilities before they can seriously impact public health.

“It’s important to note that the FDA encourages cybersecurity researchers to work directly with manufacturers and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) when potential vulnerabilities are identified,” Stark said. “In fact, a key component of our draft guidance on postmarket medical device cybersecurity is establishing and supporting formal policies for coordinated vulnerability disclosure, in which manufacturers and cybersecurity researchers work together openly in a trusted environment to identify, assess and remediate cybersecurity vulnerabilities before they can harm patients. This collaborative information sharing, disclosure and risk assessment enables all stakeholders to better address device safety.”

A spokesperson for the Heart Rhythm Society said the society would have no comment on the issue beyond statements by the FDA. – by Erik Swain

Editor’s Note: This article was updated on Sept. 7, 2016 to add information about the lawsuit filed by St. Jude Medical and on Sept. 16, 2016 to add comments from the FDA.