Share this article on:
When security researchers at MedSec discovered flaws in a suite of medical products, instead of contacting the manufacturer of the devices – St. Jude Medical – the company divulged the information to Carson Block, a short seller who runs investment capital firm Muddy Waters Capital LLC.
MedSec will receive payment from Muddy Waters for the disclosure. Block has taken a short position against the manufacturer and the bigger the fall in stock prices, the more MedSec stands to make.
St. Jude Medical was the second most popular stock with large hedge funds in Q2, 2016. Block recently issued a report through Muddy Waters explaining the flaws which sent stock prices tumbling. After the report was published, St. Jude Medical stock lost 8% of its value and closed the day 5% down.
In the report, Block predicted that St. Jude Medical could end up losing half of its annual revenue for at least the next two years while the flaws are remediated. The revelation also threatens to derail the recent $25 billion acquisition of the company by Abbot Technologies.
The security vulnerabilities affect St. Jude Medical’s defibrillators and pacemakers. MedSec researchers discovered ‘stunning’ cybersecurity flaws that would enable cybercriminals to remotely hack the devices and alter their function. This could have fatal consequences for patients who have pacemakers fitted. The flaws could be exploited in two types of attack. A malicious actor could crash the devices causing them to malfunction, or an attacker could alter the function causing the battery to drain. Muddy Waters has replicated both types of attack following the instructions provided by MedSec.
The malicious manipulation of the function of medical devices has been widely reported in recent months. Researchers have already been able to show that drug pumps can be manipulated, potentially resulting in overdoses of pain medication or prevention of drug delivery. The latter could cause patients to experience pain or be severely harmed.
Many of the flaws in medical devices are only theoretically possible or require a significant level of skill to exploit. According to the Muddy Waters report these flaws are different. They can easily be exploited by individuals without much technical skill.
According to the report, the attacks “can be directed randomly at any STJ Cardiac Device within a roughly 50-foot radius, theoretically can be executed on a very large scale, and most gallingly, are made possible by the hundreds of thousands of substandard home monitoring devices STJ has distributed.” The flaws are so severe that Muddy Waters says they warrant a product recall.
MedSec’s Chief Executive Officer Justine Bone told Bloomberg, “As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts.” The research was part of an 18-month investigation into the safety of medical devices by MedSec.
MedSec’s decision not to report the “severely deficient” security mechanisms to St. Jude Medical was allegedly made because it was thought that the issues “would be swept under the carpet.” It was claimed that the primary reason for the decision not to inform St. Jude Medical of the flaws was to ensure there were “mitigations.” Partnering with Carson Block was a way of ensuring that prompt action was taken to address the flaws. The decision was allegedly not financially motivated.
St. Jude Medical’s CTO, Phil Ebeling, responded by saying that “the allegations are absolutely untrue.” It was explained that several levels of security are in place and all devices are tested to ensure they are safe.
St. Jude’s vice president of external communications issued a statement saying “Protection of confidential patient and consumer information is a high priority for us. We will remain vigilant to potential security vulnerabilities of our products and data in light of ever-increasing technological sophistication.”