Recent claims about hackers being able to remotely shut down pacemakers and defibrillators from St. Jude Medical don't appear supported by evidence offered so far, an independent analysis has found.
The analysis by researchers at the University of Michigan on Tuesday came as St. Jude Medical Chief Executive Michael Rousseau addressed for the first time the allegations by short-selling firm Muddy Waters Capital LLC.
"We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices," Rousseau said in a news release Tuesday. "This behavior speaks volumes about the profit-seeking motives and integrity of these organizations."
The organizations — California-based Muddy Waters and MedSec Holdings, a private medical hacking firm registered in Florida — alleged last week that hundreds of thousands of lifesaving heart-rhythm devices made by St. Jude have "shocking" vulnerabilities to hacking because of lax security precautions by St. Jude.
Researchers at the University of Michigan's Archimedes Center for Medical Device Security said Tuesday that they have been able to reproduce the same error results in a St. Jude implantable defibrillator that Muddy Waters did, but the errors did not cause the device to malfunction. Rather, the error indicators documented by Muddy Waters are the same as what happens if the device isn't correctly equipped with lead wires.
"We haven't yet found any clinically relevant outcomes," said Kevin Fu, director of the Archimedes center. Fu is considered a pioneer in the med-tech cybersecurity realm for leading a team that documented hacking vulnerabilities in pacemakers back in 2008.
The ongoing analysis by the Michigan team did not give St. Jude — or the rest of the device industry — a clean bill of health, though. The analysis found only that Muddy Waters and MedSec have not produced conclusive evidence of one alleged vulnerability. Work on other claims, including St. Jude's defenses of its devices, is still ongoing at the independent lab.
"I think the take-home message is, we don't need a knee-jerk reaction. Security reports are going to come out all the time, and some will be quite serious," Fu said. "But with this first claim, we were surprised at how we came to a different conclusion."