Outside research team questions St. Jude hacking claims

Recent claims about hackers being able to remotely shut down pacemakers and defibrillators from St. Jude Medical don't appear supported by evidence offered so far, an independent analysis has found.

The analysis by researchers at the University of Michigan on Tuesday came as St. Jude Medical Chief Executive Michael Rousseau addressed for the first time the allegations by short-selling firm Muddy Waters Capital LLC.

"We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices," Rousseau said in a news release Tuesday. "This behavior speaks volumes about the profit-seeking motives and integrity of these organizations."

The organizations — California-based Muddy Waters and MedSec Holdings, a private medical hacking firm registered in Florida — alleged last week that hundreds of thousands of lifesaving heart-rhythm devices made by St. Jude have "shocking" vulnerabilities to hacking because of lax security precautions by St. Jude.

Researchers at the University of Michigan's Archimedes Center for Medical Device Security said Tuesday that they have been able to reproduce the same error results in a St. Jude implantable defibrillator that Muddy Waters did, but the errors did not cause the device to malfunction. Rather, the error indicators documented by Muddy Waters are the same as what happens if the device isn't correctly equipped with lead wires.

"We haven't yet found any clinically relevant outcomes," said Kevin Fu, director of the Archimedes center. Fu is considered a pioneer in the med-tech cybersecurity realm for leading a team that documented hacking vulnerabilities in pacemakers back in 2008.

The ongoing analysis by the Michigan team did not give St. Jude — or the rest of the device industry — a clean bill of health, though. The analysis found only that Muddy Waters and MedSec have not produced conclusive evidence of one alleged vulnerability. Work on other claims, including St. Jude's defenses of its devices, is still ongoing at the independent lab.

"I think the take-home message is, we don't need a knee-jerk reaction. Security reports are going to come out all the time, and some will be quite serious," Fu said. "But with this first claim, we were surprised at how we came to a different conclusion."

The allegations against St. Jude devices come at a touchy time because the devicemaker is in the process of being acquired by Abbott Laboratories for about $25 billion. Abbott Labs spokeswoman Elissa Maurer said via e-mail Tuesday, "We continue to collaborate with St. Jude to advance the transaction."

Muddy Waters and St. Jude have been trading public barbs since Thursday, when the financial firm revealed that it was shorting the device maker's stock, which would allow it to profit if St. Jude loses value.

The firm opted to short St. Jude because the alleged vulnerabilities appeared to require a massive recall of devices that comprise a large slice of the Fortune 500 company's annual revenue.

St. Jude has steadfastly stood behind the security of its devices. Several physicians and the Food and Drug Administration have said they are not recommending patients make any changes while a government investigation of Muddy Waters' claims moves forward.

The unorthodox public feud between the device maker and the short-seller reached a new level Monday afternoon, when Muddy Waters published a shadowy internet video on Vimeo that purported to show a hacker compromising a St. Jude pacemaker using St. Jude-branded wireless communications equipment and a laptop computer.

On Tuesday, St. Jude responded that the pacemaker in the video is actually doing what the manufacturer intended — and the fact that Muddy Waters didn't know that shows the firm's "fundamental lack of understanding" of St. Jude devices.

"The video clearly shows a security feature, not a flaw," St. Jude Medical Chief Technology Officer Phil Ebeling said in a news release.

The pacemaker in Muddy Waters' video appears to go into a "safe mode" after three hours of computer hacking, Ebeling said. St. Jude pacemakers have a "radio frequency telemetry lockout" security feature that puts the device into safe mode in the event of an attack. The devices are designed to go into safe mode to ensure they will continue to work if under attack.

St. Jude stock gained 38 cents on Tuesday, closing at $78.63. The stock is down 4 percent since Thursday.

Joe Carlson • 612-673-4779