The Big Short: Security Flaws Fuel Bet Against St. Jude

chicksdaddy writes: "Call it The Big Short -- or maybe just the medical device industry's 'Shot Heard Round The World': a report from Muddy Waters Research recommends that its readers bet against (or 'short') St. Jude Medical after learning of serious security vulnerabilities in a range of the company's implantable cardiac devices," The Security Ledger reports. "The Muddy Waters report on St. Jude's set off a steep sell off in St. Jude Medical's stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the 'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues stemming from remotely exploitable vulnerabilities in STJ's pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude's Merlin at home remote patient management platform, said Muddy Waters. The firm cited research by MedSec Holdings Ltd., a cybersecurity research firm that identified the vulnerabilities in St. Jude's ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed. In an e-mail statement to Security Ledger, St. Jude's Chief Technology Officer, Phil Ebeling, called the allegations 'absolutely untrue.' 'There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin at home and on all our devices,' Ebeling said."

More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters. Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay. "If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."

5%?

[110010001000]

Lots of stocks go down 5% in one day, especially medical stocks. Hardly steep.

Re:5%?

[Dorianny]

A voluntary or a FDA ordered full recall one are unlikely or you would have seen the stock price come crashing down and trading halted . Device security is just not taken seriously in the industry. Practically the only invulnerable devices are the ones with network-stack implementations so broken as to render networking functions pretty usless. The Industry benefits from there not being any cases of harm to patients. Few people outside of research would target medical devices given the risk of causing physical harm to innocent people. Of course this could change in an instant were someone to off their rich-uncle for the inheritance by hacking into his pacemaker. The scandal would cause a tsunami that would come crashing down on the Biotech industry

Re:5%?

[whoever57]

Lots of stocks go down 5% in one day, especially medical stocks. Hardly steep.

Yes, it's a shame it didn't go down more. Until lack of security affects the bottom line, companies won't make secure devices.

What?

Reading that made my head hurt.