St. Jude Medical yesterday filed a lawsuit alleging that investment research firm Muddy Waters and healthcare security research company Med Sec made false claims in a report focused on the security of St. Jude products.
The report released Aug. 25 warned of potentially catastrophic cybersecurity vulnerabilities in St. Jude pacemakers, defibrillators and other medical devices. The research was conducted by Med Sec as part of an 18-month study on medical device security. The controversial twist to this story is Med Sec’s disclosure to Muddy Waters rather than to the device manufacturer, and Muddy Waters taking a short position on St. Jude stock.
Over-arching the entire saga is that Abbott Labs, a global healthcare company, is in the process of acquiring St. Jude Medical for $25 billion. It is unknown whether the report or lawsuit will impact the acquisition. What is known is that Muddy Waters and Med Sec stand to profit from the shorting of St. Jude stock.
Med Sec CEO and longtime security researcher and officer Justine Bone told Bloomberg that her company’s decision to disclose to Muddy Waters was an attempt to publicly nudge St. Jude into addressing the still-undisclosed vulnerabilities in its life-saving cardiac equipment. The potential for profiting from Muddy Waters’ shorting of the stock, Bone said, is an attempt to recoup its costs for conducting the research.
The lawsuit names Muddy Waters, Med Sec and three unnamed individual executives at each firm and alleges that the report makes not only false statements, but is also an attempt to manipulate public stock markets.
St. Jude has from the beginning denied the claims made by Muddy Waters in its report.
“The allegations are absolutely untrue,” St. Jude CTO Philip Ebeling said in a statement. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts with specifically Merlin@Home and all our devices.”
The suit, filed in the U.S. District Court for the District of Minnesota, claims that the report was an intentional attempt to affect St. Jude’s stock price; St. Jude was trading at $79.44 a share today and dipped more than $3 a share upon the release of the report.
The report and the shorting of the stock have been polarizing topics in the two weeks since the report was released. In her interview with Bloomberg, Bone cites a long history of St. Jude’s lax cybersecurity protections in its products. In 2014, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) launched an investigation into the security of St. Jude’s cardiac devices, this coming a year after the company was approached by security researchers with a rash of vulnerabilities, Bone said.
The tact taken by Muddy Waters and Med Sec also flies against more than a decade of debate and work on developing vulnerability disclosure guidelines that can be used by white hat researchers and affected technology providers. Companies have gone to great lengths to establish processes by which researchers can safely report bugs and have them remediated. Bug bounties are the new norm as well, with many technology companies building out private and public programs that allow researchers to coordinate the reporting of bugs and receive rewards for their work. At the recent Black Hat conference, for example, Apple announced the start of a private bug bounty for iOS with six-figure payouts for the most critical of bugs.
“We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St. Jude Medical into action,” Bone said in a statement last week.
Researchers, meanwhile, seem split on the repercussions of this situation, whether it will kick off a rash of such for-profit disclosures, and whether it represents questionable ethics.
“This type of disclosure puts profits before safety and that rarely ends well,” said researcher Troy Hunt, interviewed by Threatpost last week.
Others, however, side with the consumer impacted in this case by an insecure pacemaker, for example.
“We’ve all seen how consumer products are often designed and built in insecure ways, and let’s face it, there has been virtually no improvement unless there’s a major financial or reputational impact in doing so,” said Chris Eng, vice president of research at Veracode, who was also interviewed by Threatpost last week.