The U.S. government has entered into the St. Jude-MedSec-Muddy Waters fray with an investigation into claims St. Jude medical devices are vulnerable to cyberattacks.

The Food and Drug Administration and Department of Homeland Security also apparently disapprove of the approach taken by MedSec and Muddy Waters to short St. Jude stock rather than privately disclose vulnerabilities in the medical device manufacturer’s pacemakers and defibrillators. The FDA, in a statement to Threatpost, said its draft guidance on postmarket medical device cybersecurity encourages researchers to coordinate disclosure with device makers on the identification, assessment and remediation of vulnerabilities.

“This collaborative information sharing, disclosure and risk assessment enables all stakeholders to better address device safety,” the FDA said.

Muddy Waters, an investment research firm, published a report Aug. 25 warning of potentially catastrophic cybersecurity vulnerabilities in St. Jude pacemakers, defibrillators and other medical devices. The research was conducted by MedSec as part of an 18-month study on medical device security. The controversial twist to this story is MedSec’s disclosure to Muddy Waters rather than to the device manufacturer, and Muddy Waters taking a short position on St. Jude stock.

Med Sec CEO and longtime security researcher Justine Bone said that part of her company’s decision to enter into this arrangement with Muddy Waters to short the stock was an attempt to recoup costs associate with the research.

St. Jude has since filed a lawsuit in a Minnesota court alleging that the report makes false claims about the security of its devices and is an attempt to manipulate their securities markets for what it says is an illegal windfall. The device maker is the middle of a $25 billion acquisition by Abbott Labs; it’s unknown whether the report and lawsuit will impact the acquisition.

In its report, Muddy Waters said it expected close to half of St. Jude revenue to disappear for two years based on the investment it would have to make to remediate the vulnerabilities and replace devices already in use.

“Thus, Defendants specifically intended to drive down the price of St. Jude’s stock, which they had previously sold short,” St. Jude said in its filing last week. “This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must be stopped and Defendants must be held accountable so that such activity will not be incentivized and repeated in the future.”

St. Jude named Muddy Waters and its founder Carson Block, MedSec Holdings Ltd., Bone and MedSec advisor Dr. Hemal M. Nayak as defendants in the suit. St. Jude stock, meanwhile, was trading at $78.86, down about $3 from its price on Aug. 24 before publication of the report.

The nature of the vulnerabilities discovered by MedSec have not been made public; the FDA told Threatpost it was aware of the allegations and concerns made in the report, and was investigating.

“At the present time, patients should continue to use their devices as instructed and not change any implanted device,” the FDA said. “The FDA will provide updates as we learn more. In the interim, if a patient has a question or concern they should talk with their doctor.”

The FDA also stood by its recommendation that researchers work directly with device manufacturers and DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

“In managing cybersecurity threats, the FDA encourages manufacturers to stay vigilant and correct vulnerabilities with their products in a proactive manner,” the FDA said. “In addition, the FDA has and continues to coordinate among device manufacturers, other government agencies, health care delivery organizations and security researchers to detect and fix vulnerabilities before they can seriously impact public health.”

Categories: Government, Vulnerabilities