St Jude releases cyber updates for heart devices after US probe

  • TECH
  • Tuesday, 10 Jan 2017

The ticker and trading information for St. Jude Medical is displayed where the stock is traded on the floor of the New York Stock Exchange (NYSE) in New York City, U.S., April 28, 2016. REUTERS/Brendan McDermid/File Photo

Abbott Laboratories moved to protect patients with its St Jude heart implants against possible cyberattacks, releasing a software patch on Jan 9 that the firm said will reduce the "extremely low" chance of them being hacked. 

The company disclosed the moves some five months after the US government launched a probe into claims the devices were vulnerable to potentially life-threatening hacks that could cause implanted devices to pace at potentially dangerous rates or cause them to fail by draining their batteries. 

The Food and Drug Administration and the Department of Homeland Security said that St Jude's software update addresses some, but not all, known cyber security problems in its heart devices. 

The patch that Abbott began pushing out to patients on Jan 9 addresses vulnerabilities that present the greatest risk to patients and prevent hackers from accessing the device, said FDA spokeswoman Angela Stark. 

"The patch is intended to reduce the risk of unauthorised individuals exploiting the vulnerability and support patient safety," she said. "The FDA has maintained this focus on addressing patient safety first and foremost throughout its investigation." 

A Department of Homeland Security spokesman said he had no immediate comment on the remaining problems. 

St Jude spokeswoman Candace Steele Flippin declined to identify specific problems, but said: "The cybersecurity landscape is evolving. St Jude Medical has worked with, and continues to work with, the FDA and DHS to update and improve the security of our technology." 

MedSec chief executive Justine Bone said in a statement that "a multitude of severe vulnerabilities" were not fixed in the security update. 

They include the ability to issue an unauthorized command to a cardiac implant from a device other than St Jude's Merlin@Home device, Bone said. 

Monday marked the first time that the FDA and DHS had confirmed that St Jude devices were vulnerable to hacking. They said they knew of no cyber attacks on patients with the company's cardiac implants. 

The FDA said that the benefits of continuing treatment outweighed cyber risks. DHS said only an attacker "with high skill" could exploit the vulnerability. 

They launched the probe in August after short-selling firm Muddy Waters and cyber security firm MedSec Holdings said the devices were riddled with security flaws that made them vulnerable to potentially life-threatening hacks. 

When Muddy Waters went public with the claims, it also disclosed it was shorting St Jude Medical, which was preparing to sell itself to Abbott. 

The short-selling firm said it believed that disclosure of the vulnerabilities could cause the US$25bil (RM111.86bil) deal to fall apart, but Abbott last week completed its acquisition of St Jude, one of the world's biggest makers of implantable cardiac devices. 

Muddy Waters founder Carson Block said he felt the release of the software patch "effectively vindicates" the research produced by his firm and MedSec. 

As St Jude announced the security patch, it declined comment on a lawsuit it filed against Muddy Waters and MedSec in September. It accused them of perpetrating a "wilful and malicious scheme to manipulate the securities markets for their own financial windfall." 

MedSec said St Jude has not dropped the lawsuit. — Reuters

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 3

Next In Tech News

Apple backs wide emissions disclosure rules from U.S regulators
Deployment of EU electric vehicle charging stations too slow, auditors say
Factbox: Grab, Southeast Asia's biggest startup, set for bumper U.S. listing
Factbox: What to know about Facebook's content oversight board
Xilinx, Mavenir partner to boost open 5G network capacity
German regulator acts to halt 'illegal' WhatsApp data collection
'Fortnite' maker Epic Games gets $28.7 billion valuation in latest funding
AI chip maker SambaNova raises $676 million, valued at over $5 billion
Exclusive: Italy to spend 60% more of EU funds on better broadband, sources say
Facebook oversight board widens scope to rule on content left up on platform

Stories You'll Enjoy