On August 25, 2016, investment firm Muddy Waters Capital issued a report claiming that St. Jude Medical’s implantable cardiac devices are susceptible to cybersecurity attacks, allegedly putting more than 260,000 individuals in the U.S. at risk. St. Jude strongly rejected the report and disputed the alleged security risks of its devices.
The report claims that MedSec Holdings Ltd., a cybersecurity firm, was able to demonstrate two types of cyberattacks on St. Jude’s implantable cardiac devices. The first type of attack — a “crash” attack — enables a hacker to remotely disable cardiac devices, and in some cases, cause the cardiac device to pace at a dangerous rate. The second type of attack — a battery drain attack — remotely runs cardiac device batteries down to 3% of capacity within a 24-hour period. However, the report concludes that patients’ personal health information appears to be safe as the report states that patient data is encrypted.
The report argues that the cybersecurity risks of the devices are due to security deficiencies in accessories to the implantable devices including devices located in physician offices that display data from the implanted devices, the network that manages and transmits data, and the at-home device which communicates with the implanted device via radio frequency within a 50 foot range. Some of the alleged deficiencies require attackers having access to device accessory hardware or being within 50 feet of the target(s).
FDA is keenly aware of the potential for cybersecurity attacks on medical devices. In January 2016, the agency issued Draft Guidance on Postmarket Management of Cybersecurity in Medical Devices. Additional information on FDA’s concerns and the Draft Guidance can be found here, and here. In 2014, the Department of Homeland Security and FDA investigated suspected cybersecurity flaws in several types of medical devices and hospital equipment. It will be interesting to see what action those agencies take in this circumstance, or whether the Securities and Exchange Commission gets involved, particularly given the allegations of short selling objectives associated with the report. Regardless, manufacturers of connected medical devices can expect heightened scrutiny of the security of their devices and components both from government officials and the public at large.