FDA joins investigation into security of St. Jude medical devices

St. Jude Medical kept up its defense of the security of its medical devices Friday, while the Food and Drug Administration confirmed that it has joined an investigation of claims that the devices can be hacked remotely.

An investment group called Muddy Waters Capital maintains that St. Jude Medical pacemakers and defibrillators are unusually vulnerable to remote computer hacking, which could disable the lifesaving machines.

Doctors and government regulators said it's still too early to know if the claims — covering hundreds of thousands of St. Jude devices — are true.

The FDA confirmed ­Friday that it is working with the Homeland Security ­Department on the investigation.

For the time being, doctors and regulators are largely rejecting the advice from Muddy Waters that patients' wireless communications be disabled.

"At the present time, patients should continue to use their devices as instructed and not change any implanted device. FDA will provide updates as we learn more. In the interim, if a patient has a question or concern they should talk with their doctor," FDA spokeswoman Andrea Fischer said in an e-mail ­Friday.

Trading in shares of Little Canada-based St. Jude Medical was halted for about 45 minutes Friday afternoon as the company published several pages of material seeking to rebut the claims in Muddy Waters' 34-page report. St. Jude shares quickly rose after the announcement, closing at $78.01. At that price, the stock was still down 5 percent since the release of the report midmorning Thursday.

MedSec Holdings is the private cybersecurity firm that alerted Muddy Waters to the alleged hacking vulnerabilities in St. Jude devices. Muddy Waters announced Thursday that it was shorting St. Jude stock — meaning that it would profit if St. Jude stock declined in price — while also revealing that St. Jude devices appeared to be more vulnerable to attacks than those of other ­manufacturers.

The critics say the security flaw involves a device called Merlin@home, which is designed to be able to read patient data from a pacemaker or defibrillator remotely in the home and transmit it to a doctor's office.

The firm said lax cybersecurity in St. Jude devices would allow a hacker to send commands to one of the company's pacemakers or defibrillators that would drain the battery or interfere with proper functioning. Muddy Waters also alleged that the vulnerabilities could allow a hacker to launch a "large scale" attack on St. Jude's large Merlin network, which connects to all the active @home machines.

MedSec and Muddy Waters took apart the devices and claimed that some seemed to contain "off the shelf" components. The hackers also reported finding that a lack of encryption of some data made the devices easier to compromise.

"One of the purposes of this report is unapologetically to single out STJ for what we see as its incompetence in, or indifference to, device security," the Muddy Waters report said, referring to St. Jude by its stock ticker symbol. "MedSec and Muddy Waters believe it is prudent from a security standpoint for STJ to disable the [wireless communications] capability of patients' implanted devices."

"This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report," St. Jude said. "The flawed test methodology … demonstrates fundamental lack of understanding of medical device technology."

St. Jude also noted that most of the observations in the report applied to older versions of Merlin@home devices, which had not been patched through its automated remote-upgrade system.

"We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes," the statement said.

Wells Fargo stock analyst Larry Biegelsen told investors in a note Friday that St. Jude's response seemed "compelling on the surface," but the highly technical dispute made it difficult to interpret the validity of the arguments.

St. Jude, a Fortune 500 company with $5.5 billion in revenue last year, is in the midst of being acquired by Abbott Laboratories in a $25 billion deal that is expected to close by the end of the year. Abbott has not commented on the Muddy Waters allegations. Bloomberg News reported that if the claims against St. Jude devices are proven, it could derail Abbott's plan to buy St. Jude or lead to a renegotiation of the deal.

"It does concern us, but we are not going to tell patients to turn off the wireless monitoring," said Dr. Henri Roukoz, an electrophysiologist at the University of Minnesota. "Currently, the risk does not outweigh the benefit of these systems. … But we are working on a backup plan if these allegations turn out to be true."

Dr. Hemal Nayak, a Chicago-based electrophysiologist and board member at MedSec, said he's consulting with patients about his recommendation to unplug their Merlin@home units until a full patch to the vulnerabilities is released. His recommendation is based on experiments he saw firsthand, but he said he doesn't blame other doctors who want to see more data or FDA guidance before making any changes.

In 2015, an international group of doctors penned a consensus report for the Heart Rhythm Society that recommended use of remote monitoring systems like Merlin@home because they can quickly detect and send alerts about problems with patient health or device functioning.

Although the Muddy Waters report used stark language to allege the risk to St. Jude heart devices, it acknowledged that the firm was "unaware of any imminent threat to patient safety." To date, no malicious cyberattack against an implanted medical device has been documented outside of controlled experiments and demonstrations.