- The Washington Times - Wednesday, August 31, 2016

Researchers at the University of Michigan on Tuesday disputed cybersecurity concerns raised in a recent effort to short-sell St. Jude Medical, the U.S.-based manufacturer of implanted heart devices including pacemakers and defibrillators.

St. Jude’s stock suffered its largest single-day loss in seven months Thursday upon the release of a report by short-selling firm Muddy Waters accusing the company’s implanted medical devices of having “significant vulnerabilities” that make them prone to hacking.

Citing the findings of researchers at cybersecurity firm MedSec Holdings, Muddy Waters predicted St. Jude will issue a massive recall and suffer potentially billions of dollars in losses following the release of the report. On Friday, attorneys for a St. Jude patient filed a potential federal class-action lawsuit based on the findings.

A team composed of medical device security researchers and a cardiologist from the University of Michigan’s Frankel Cardiovascular Center attempted to conduct the same cyberattacks against St. Jude’s products described in Muddy Waters‘ report and came to “strikingly different conclusions,” the school said Tuesday.

“We’re not saying the report is false, we’re saying it’s inconclusive because the evidence does not support their conclusions,” said Kevin Fu, an associate professor of computer science and engineering at the school and director of its Archimedes Center for Medical Device Security. “We were able to generate the reported conditions without there being a security issue.”

Specifically, the researcher said that a series of error messages Muddy Waters cited as demonstrating a successful security breach is actually something much more mundane.

“To the armchair engineer it may look startling, but to a clinician it just means you didn’t plug it in. In layman’s terms, it’s like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard,” he said.

The Michigan team’s findings were released Monday as St. Jude publicly denounced the short-selling firm’s findings for the second time since the supposed security vulnerabilities were first announced.

“The allegations made by Muddy Waters and MedSec are irresponsible, misleading and unnecessarily frightening patients,” Michael T. Rousseau, president and chief executive officer at St. Jude Medical, said in a statement. “We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices. This behavior speaks volumes about the profit-seeking motives and integrity of these organizations.”

Muddy Waters responded to the Michigan team by saying it wasn’t surprised their research was inconclusive, Reuters reported Tuesday. 

“We deliberately did not publish detailed information on the vulnerabilities, exploits or attacks on the devices in order to avoid giving the play book to potential attackers,” the statement said. “If anything, this proves that we were responsible with our disclosure.”

St. Jude’s stock was down 4 percent when markets opened Wednesday compared to its value before the release of last week’s report.

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide