|
 U.S. regulators responded by reiterating previous advice that
patients should keep using the devices, and a St. Jude spokeswoman
said the company would respond "through appropriate legal channels."
Muddy Waters released a 53-page report from boutique cyber security
firm Bishop Fox as part of a legal filing in federal court in
Minnesota in its defense against a suit brought by St. Jude. Bishop
Fox said in the report it validated the claims with help from
well-known specialists in cryptography, computer hardware hacking,
forensics and wireless communications, and cyber research firm
MedSec Holdings that St. Jude cardiac implants are susceptible to
hacking.
St. Paul, Minnesota-based St. Jude has strongly disputed those
claims, which are under investigation by the U.S. Food and Drug
Administration.
One of the world's biggest makers of implantable cardiac devices,
St. Jude filed a lawsuit against San Francisco-based Muddy Waters,
Miami-based MedSec and individuals affiliated with those firms on
Sept. 7.
St. Jude accused them of intentionally disseminating false
information about its heart devices to manipulate its stock price,
which fell 5 percent the day they went public with their claims.
The FDA said in a statement it had no comment on the litigation but
that based on information obtained to date it urged patients to
continue using devices as directed by their physicians.
"The benefits of the devices far outweigh any potential cyber
security vulnerabilities," the FDA said of St. Jude's cardiac
implants, which the company said have been implanted in hundreds of
thousands of patients.
St. Jude spokeswoman Candace Steele Flippin said the company's
lawyers were reviewing the documents from Muddy Waters and MedSec.
"We continue to feel this lawsuit is the best course of action to
make sure those looking to profit by trying to frighten patients and
caregivers are held accountable for their actions," she said in an
email.
St. Jude in April agreed to sell itself for $25 billion to Abbott
Laboratories.
Short sellers like Muddy Waters make bets that stock prices will
fall, selling borrowed shares so they can buy them at a lower price
and profit from the difference.
[to top of second column] |
The defendants said that St. Jude's lawsuit is without merit,
reiterating their prior claim that St. Jude's heart devices have
"significant security vulnerabilities."
"Muddy Waters' and MedSec's statements regarding security issues in
the St. Jude Medical implant ecosystem were, by and large,
accurate," Bishop Fox Partner Carl Livitt said in the report.
The report said the wireless communications in St. Jude cardiac
devices are vulnerable to hacking, making it possible for hackers to
convert the company's Merlin@home patient monitoring devices into
"weapons" that can cause cardiac implants to stop providing care and
deliver shocks to patients.
Bishop Fox said it conducted successful test attacks from 10 feet (3
meters) away, but that the range might be extended to as far as 100
feet (30 meters) with an antenna and a specialized device known as a
software defined radio.
The report said Bishop Fox confirmed that several different types of
hacks were possible. In one instance, it said, a hacker could
remotely turn off the therapeutic functions of an implantable
cardioverter defibrillator (ICD), then send a T-wave shock to a
patient's heart, causing ventricular fibrillation, would could lead
to cardiac arrest.
Bishop Fox said its clients include Fortune 500 firms, global
financial firms, medical institutions and law firms.
Shares in St. Jude were little changed in afternoon trading.
(Reporting by Jim Finkle; Editing by Will Dunham)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
