Jude releases cyber updates for heart devices after U.S.
Send a link to a friend
[January 10, 2017]
By Jim Finkle
(Reuters) - Abbott Laboratories moved to
protect patients with its St. Jude heart implants against possible cyber
attacks, releasing a software patch on Monday that the firm said will
reduce the "extremely low" chance of them being hacked.
The company disclosed the moves some five months after the U.S.
government launched a probe into claims the devices were vulnerable
to potentially life-threatening hacks that could cause implanted
devices to pace at potentially dangerous rates or cause them to fail
by draining their batteries..
The Food and Drug Administration and the Department of Homeland
Security said that St. Jude's software update addresses some, but
not all, known cyber security problems in its heart devices.
The patch that Abbott began pushing out to patients on Monday
addresses vulnerabilities that present the greatest risk to patients
and prevent hackers from accessing the device, said FDA spokeswoman
"The patch is intended to reduce the risk of unauthorized
individuals exploiting the vulnerability and support patient
safety," she said. "The FDA has maintained this focus on addressing
patient safety first and foremost throughout its investigation."
A Department of Homeland Security spokesman said he had no immediate
comment on the remaining problems.
St. Jude spokeswoman Candace Steele Flippin declined to identify
specific problems, but said: "The cybersecurity landscape is
evolving. St. Jude Medical has worked with, and continues to work
with, the FDA and DHS to update and improve the security of our
MedSec Chief Executive Justine Bone said in a statement that "a
multitude of severe vulnerabilities" were not fixed in the security
They include the ability to issue an unauthorized command to a
cardiac implant from a device other than St. Jude's Merlin@Home
device, Bone said.
Monday marked the first time that the FDA and DHS had confirmed that
St. Jude devices were vulnerable to hacking. They said they knew of
no cyber attacks on patients with the company's cardiac implants.
The FDA said that the benefits of continuing treatment outweighed
cyber risks. DHS said only an attacker "with high skill" could
exploit the vulnerability.
They launched the probe in August after short-selling firm Muddy
Waters and cyber security firm MedSec Holdings said the devices were
riddled with security flaws that made them vulnerable to potentially
[to top of second column]
When Muddy Waters went public with the claims, it also disclosed it
was shorting St. Jude Medical, which was preparing to sell itself to
The short-selling firm said it believed that disclosure of the
vulnerabilities could cause the $25 billion deal to fall apart, but
Abbott last week completed its acquisition of St. Jude, one of the
world's biggest makers of implantable cardiac devices.
Muddy Waters founder Carson Block said he felt the release of the
software patch "effectively vindicates" the research produced by his
firm and MedSec.
As St. Jude announced the security patch, it declined comment on a
lawsuit it filed against Muddy Waters and MedSec in September. It
accused them of perpetrating a "willful and malicious scheme to
manipulate the securities markets for their own financial windfall."
MedSec said St. Jude has not dropped the lawsuit.
Abbott shares closed down 0.1 percent at $40.74. The S&P 500, by
comparison, dipped 0.3 percent.
(Reporting by Jim Finkle in Boston; editing by Jeffrey Benkoe,
[© 2017 Thomson Reuters. All rights
Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.