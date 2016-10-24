(Recasts first paragraph, adds statements from FDA and St. Jude
in paragraphs 2, 7-10)
By Jim Finkle
Oct 24 Short-selling firm Muddy Waters said in a
legal filing on Monday that outside experts it hired validated
its claims that St. Jude Medical Inc cardiac implants
are vulnerable to potentially life-threatening cyber attacks.
U.S. regulators responded by reiterating previous advice
that patients should keep using the devices, and a St. Jude
spokeswoman said the company would respond "through appropriate
legal channels."
Muddy Waters released a 53-page report from boutique cyber
security firm Bishop Fox as part of a legal filing in federal
court in Minnesota in its defense against a suit brought by St.
Jude. Bishop Fox said in the report it validated the claims with
help from well-known specialists in cryptography, computer
hardware hacking, forensics and wireless communications, and
cyber research firm MedSec Holdings that St. Jude cardiac
implants are susceptible to hacking.
St. Paul, Minnesota-based St. Jude has strongly disputed
those claims, which are under investigation by the U.S. Food and
Drug Administration.
One of the world's biggest makers of implantable cardiac
devices, St. Jude filed a lawsuit against San Francisco-based
Muddy Waters, Miami-based MedSec and individuals affiliated with
those firms on Sept. 7.
St. Jude accused them of intentionally disseminating false
information about its heart devices to manipulate its stock
price, which fell 5 percent the day they went public with their
claims.
The FDA said in a statement it had no comment on the
litigation but that based on information obtained to date it
urged patients to continue using devices as directed by their
physicians.
"The benefits of the devices far outweigh any potential
cyber security vulnerabilities," the FDA said of St. Jude's
cardiac implants, which the company said have been implanted in
hundreds of thousands of patients.
St. Jude spokeswoman Candace Steele Flippin said the
company's lawyers were reviewing the documents from Muddy Waters
and MedSec.
"We continue to feel this lawsuit is the best course of
action to make sure those looking to profit by trying to
frighten patients and caregivers are held accountable for their
actions," she said in an email.
St. Jude in April agreed to sell itself for $25 billion to
Abbott Laboratories.
Short sellers like Muddy Waters make bets that stock prices
will fall, selling borrowed shares so they can buy them at a
lower price and profit from the difference.
The defendants said that St. Jude's lawsuit is without
merit, reiterating their prior claim that St. Jude's heart
devices have "significant security vulnerabilities."
"Muddy Waters' and MedSec's statements regarding security
issues in the St. Jude Medical implant ecosystem were, by and
large, accurate," Bishop Fox Partner Carl Livitt said in the
report.
The report said the wireless communications in St. Jude
cardiac devices are vulnerable to hacking, making it possible
for hackers to convert the company's Merlin@home patient
monitoring devices into "weapons" that can cause cardiac
implants to stop providing care and deliver shocks to patients.
Bishop Fox said it conducted successful test attacks from 10
feet (3 meters) away, but that the range might be extended to as
far as 100 feet (30 meters) with an antenna and a specialized
device known as a software defined radio.
The report said Bishop Fox confirmed that several different
types of hacks were possible. In one instance, it said, a hacker
could remotely turn off the therapeutic functions of an
implantable cardioverter defibrillator (ICD), then send a T-wave
shock to a patient's heart, causing ventricular fibrillation,
would could lead to cardiac arrest.
Bishop Fox said its clients include Fortune 500 firms,
global financial firms, medical institutions and law firms.
Shares in St. Jude were little changed in afternoon trading.
(Reporting by Jim Finkle; Editing by Will Dunham)