Skip to main content
Profits Over Patients
  • About
  • St. Jude + Abbott
  • Cyber Security Research
  • About Our Research
  • News
  • Contact

Is your heart hackable?

Some implantable medical devices, such as pacemakers, defibrillators and resynchronization devices, can be hacked for malicious intent. If you have an implanted device made by St. Jude Medical and use the [email protected] transmitter, this is for you.

In early January 2017, both the Food & Drug Administration and the Department of Homeland Security issued warnings about the implanted devices made by St. Jude Medical.

At the same time, St. Jude introduced a software patch to rectify the problem, while we warned that this patch only fixed one of the most serious vulnerabilities..

In early February 2017, the Department of Homeland Security validated our analysis and issued a second warning about St. Jude medical implants. In this notice, St. Jude Medical (now part of Abbott Laboratories) acknowledged that more models of the company’s implantable medical devices are subject to cyber security threats. This development supports ongoing claims that St. Jude Medical + Abbott have not recognized or addressed all of the devices’ major vulnerabilities, raising questions about best practices for disclosure and patient safety.

We continue to believe that there are cyber security vulnerabilities with St. Jude Medical’s [email protected] transmitter that, if exploited, could allow an unauthorized user to remotely access a patient’s implanted cardiac device.

Here’s what the FDA said:

"The altered [email protected] Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks." - FDA, January 9, 2017

The Department of Homeland Security issued the following warning:

"Successful exploitation of this vulnerability may allow a remote attacker to access or influence communications between Merlin.net and transmitter endpoints." - DHS ICS-CERT, January 9, 2017

Do you know if your St. Jude pacemaker is safe?

In our view, the announced fixes do not appear to address the larger problems, including the existence of a universal code that could allow hackers to control the implants.

If you have a St. Jude implantable cardiac device contact your doctor, cardiologist and/or primary care giver to find out if you are at risk.

For more information:

See the FDA's safety communications for St. Jude implantable devices:
http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm535843.htm

Or contact the FDA directly:
Toll Free: (800) 638-2041
Local: (301) 796-7100
Email: [email protected]

See the Department of Homeland Security's ICS-CERT advisory:
https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01

Or contact the DHS - ICS-CERT directly:
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900
Email: [email protected]


St. Jude + Abbott

The St. Jude Medical and Abbott Laboratories Acquisition Timeline

  • April 28, 2016: Abbott Laboratories announces its agreement to acquire St. Jude Medical for about $25 billion.
  • August 26, 2016: Muddy Waters Capital, in conjunction with MedSec, warns about the cyber security weaknesses of St. Jude’s pacemakers.
  • August 26, 2016: St. Jude, which is in the midst of selling itself to Abbott Laboratories, vehemently denies the reports. “Based on available information, we conclude that the report is false and misleading.”
  • September 7, 2016:  St. Jude Medical sues Muddy Waters and MedSec for defamation. St. Jude says the allegations are false and claims that Muddy Waters and MedSec are “intentionally disseminating false information”. St. Jude reiterates that the company “stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”
  • October 24, 2016: Muddy Waters and MedSec respond to the St. Jude complaint, defending their research and First Amendment rights. The response also includes expert opinion from Bishop Fox, a cyber security consulting firm, that validates many of the serious concerns brought forward by Muddy Waters and MedSec. Bishop Fox concludes that the security of St. Jude’s “implantable cardiac device ecosystem . . . . do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients.” Furthermore: “The wireless protocol used for communication amongst St. Jude Medical cardiac devices has serious security vulnerabilities that make it possible to convert [email protected] devices into weapons capable of disabling therapeutic care  . . . “  
  • January 4, 2017:  Abbott Laboratories closes its acquisition of St. Jude Medical for about $25 billion.
  • January 9, 2017: The Food & Drug Administration and the Department of Homeland Security confirm Muddy Waters’ and MedSec’s findings and issue alerts about the implanted devices made by St. Jude Medical. Simultaneously in connection with the government’s conclusion, St. Jude acknowledges weaknesses in the [email protected] system and issues a software patch to patch cyber security risks.
  • January 9, 2017: Muddy Waters says that the announced fixes do not appear to address the larger problems, including the existence of a universal code that could allow hackers to control the implants.
  • January 9, 2017:  Matthew Green, an assistant professor for computer science at Johns Hopkins University and a part of the Bishop Fox team, called one vulnerability "probably the most impactful vulnerability I've ever seen."
  • February 7, 2017: The Department of Homeland Security updates its cyber security alert with respect to St. Jude Medical’s pacemakers and defibrillators. In sum, St. Jude (now part of Abbott Labs) acknowledges that more models of implantable medical devices than previously disclosed are subject to cyber security threats.

After the merger closed:

  • The Chairman of St. Jude Medical stood to take home +$500 million.
  • The Chief Executive Officer of St. Jude Medical stood to take home $35 million.

Cyber Security Research

SHOCK-ON-T

EMERGENCY SHOCK

VIBRATE

DISABLE TACHY


About Our Research

Q: Why did Muddy Waters and MedSec depart from standard cyber security disclosure protocol with respect to their research on St. Jude Medical?

A: Muddy Waters and MedSec were alarmed by the risks posed by flaws in St. Jude’s medical devices. Muddy Waters and MedSec did not believe St. Jude would take action to remediate the problems. For those reasons, they decided to bring the issue to the public’s attention to ensure that St. Jude Medical responded appropriately and with urgency.


Background

Muddy Waters worked with MedSec, a cyber-security research company formed exclusively to serve the health care industry, to analyze and form its opinion on St. Jude Medical and the company’s implantable cardiac devices.

MedSec had contacted Muddy Waters after largely completing an 18-month cyber security assessment of major manufacturers’ pacemakers and defibrillators. MedSec’s research revealed vulnerabilities with St. Jude Medical’s [email protected] transmitter that, if exploited, could allow an unauthorized user remote access to a patient’s implanted cardiac device.  Once St. Jude filed its lawsuit, Muddy Waters brought in independent cyber-security experts to review the findings.

While vulnerabilities were discovered in implantable cardiac devices by a number of manufacturers, the risks posed by St. Jude Medical devices were by far the most concerning, because St. Jude Medical devices, unlike the devices of other manufacturers, relied on wireless transmissions.

MedSec and Muddy Waters believe that St. Jude Medical has known about cyber security problems in its products since at least 2013. Furthermore, in 2014, St. Jude’s cardiac devices were the subject of Department of Homeland Security investigation into cybersecurity flaws.  Yet, to the knowledge of Muddy Waters and MedSec, very little action was taken by the company.

For these reasons, MedSec and Muddy Waters decided to make the major conclusions of the cyber-security findings public; all sensitive and detailed information was stripped from the public report to protect consumers. This approach represents a departure from standard cyber security protocol but was deemed necessary in order to bring the public’s attention to the issue and ensure that St. Jude Medical responded appropriately and with urgency. 

Expert Report Largely Corroborates MW, MedSec

Subscribe

Subscribe now to receive updates

  • Home
  • About
  • St. Jude + Abbott
  • Cyber Security Research
  • About Our Research
  • Subscribe
  • News
  • Contact
Copyright © 2023 Profits Over Patients, All Rights Reserved.