Q: Why did Muddy Waters and MedSec depart from standard cyber security disclosure protocol with respect to their research on St. Jude Medical?
A: Muddy Waters and MedSec were alarmed by the risks posed by flaws in St. Jude’s medical devices. Muddy Waters and MedSec did not believe St. Jude would take action to remediate the problems. For those reasons, they decided to bring the issue to the public’s attention to ensure that St. Jude Medical responded appropriately and with urgency.
Muddy Waters worked with MedSec, a cyber-security research company formed exclusively to serve the health care industry, to analyze and form its opinion on St. Jude Medical and the company’s implantable cardiac devices.
MedSec had contacted Muddy Waters after largely completing an 18-month cyber security assessment of major manufacturers’ pacemakers and defibrillators. MedSec’s research revealed vulnerabilities with St. Jude Medical’s Merlin@home transmitter that, if exploited, could allow an unauthorized user remote access to a patient’s implanted cardiac device. Once St. Jude filed its lawsuit, Muddy Waters brought in independent cyber-security experts to review the findings.
While vulnerabilities were discovered in implantable cardiac devices by a number of manufacturers, the risks posed by St. Jude Medical devices were by far the most concerning, because St. Jude Medical devices, unlike the devices of other manufacturers, relied on wireless transmissions.
MedSec and Muddy Waters believe that St. Jude Medical has known about cyber security problems in its products since at least 2013. Furthermore, in 2014, St. Jude’s cardiac devices were the subject of Department of Homeland Security investigation into cybersecurity flaws. Yet, to the knowledge of Muddy Waters and MedSec, very little action was taken by the company.
For these reasons, MedSec and Muddy Waters decided to make the major conclusions of the cyber-security findings public; all sensitive and detailed information was stripped from the public report to protect consumers. This approach represents a departure from standard cyber security protocol but was deemed necessary in order to bring the public’s attention to the issue and ensure that St. Jude Medical responded appropriately and with urgency.