Claims of St. Jude device hack risk may affect Abbott acquisition
Carson Block, the renowned short-seller and founder of research firm Muddy Waters LLC, has taken a short position in St. Jude Medical Inc., denouncing the security of its cardiac devices in an effort that could derail the company's purchase by Libertyville Township-based Abbott Laboratories.
In a report to investors, Block warned that tens of thousands of Americans are living with ticking time bombs: St. Jude pacemakers and defibrillators that are easily compromised, causing potentially fatal disruptions.
"The allegations are absolutely untrue," said Phil Ebeling, St. Jude's chief technology officer. "There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices."
If proven, Block's claims could derail Abbott's plan to buy St. Jude or lead Abbott to renegotiate the deal. This could cause St. Jude shares to fall more than the 5 percent they declined in New York Thursday. The stock closed at $77.82, well below the original value of the deal, approximately $85 per share.
Abbott declined to comment, company spokesman Scott Stoffel said in an email.
Many in the technology and medical communities say the risk of such hacks is remote at best. But Block, no stranger to drawn-out corporate feuds, says in a 33-page report that St. Jude's deficiencies are so great - and stand in such sharp contrast to offerings from rivals including Medtronic Plc - that its equipment should be recalled and sales of the devices that account for 45 percent of St. Jude's revenue should be halted until the problem is fixed. That could take years.
"The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction," Block said in an interview with Bloomberg Television. St. Jude "should stop selling these devices until it has developed a new secure communication protocol."
Muddy Waters became aware of the potential flaws after a startup cybersecurity company, Miami-based MedSec Holdings Inc., approached the short-selling firm three months ago. The hackers had been working for more than a year, ferreting out security flaws in medical devices made by four leading companies. One stood out from the rest: St. Jude's products had an "astounding" level of problems, including lack of encryption and authentication between devices, which could allow hackers to tap into implanted devices, said MedSec Chief Executive Officer Justine Bone, herself an experienced hacker.
Bone said her company's compensation is tied to the success of Block's trade, an arrangement she knows will lead to some criticism. But Bone said partnering with Block was the most powerful way to inflict pain on St. Jude for what she called its "negligent level of attention to cybersecurity."
While Block has seized on this attention-grabbing issue, the actual risk of hacking attacks against St. Jude patients is mostly theoretical, other cybersecurity experts say. Most hacks are criminal in nature, driven by profit motive. There have been no publicly documented cases of medical devices being hacked to cause patient harm.
The lack of a clear business model for making money from hacking medical devices suggests the types of mass attacks that plague personal computers are unlikely, said Billy Rios, a top medical-device hacker.
The U.S. Food and Drug Administration declined to comment specifically on St. Jude's devices, spokeswoman Andrea Fischer said in an email. The agency did say that it requires companies to be vigilant and correct vulnerabilities in a proactive manner, that it has taken action to ensure the safety of medical devices and that it will continue to work collaboratively with the industry, cybersecurity experts and others to protect public health.
Muddy Waters commands respect in the marketplace, given Block's record when going on the offensive. He first came to fame five years ago with a series of successful short-selling campaigns against Chinese companies listed in North America. The biggest was Sino-Forest Corp., the Hong Kong-based tree grower whose market value went from more than $6 billion to nothing after Muddy Waters questioned its accounting.
At times, Block, 40, has been among a small group of short sellers whose name alone on a report was enough to sink shares. But his wins have been fewer in recent years. Efforts to drive down a Singapore commodity trader, Olam International Ltd., blew up when a state-owned investment firm took control of the company. American Tower Corp., a Boston-based operator of cellphone antennas, has rallied 55 percent since Block announced a campaign in July 2013.
The fear of hacking medical devices, moreover, is nothing new. Former U.S. Vice President Dick Cheney famously had the Wi-Fi on his pacemaker turned off in 2007 precisely to prevent such an attack. The medical-device industry has been on notice since 2008 about these kinds of hacking risks, when academics from the University of Washington, University of Massachusetts and Harvard Medical School published a study showing that a popular type of pacemaker and defibrillator could be remotely reprogrammed to deliver deadly shocks. Since then, there have been a slew of reports about dangers in other products, from insulin pumps to hospital monitors to surgical equipment.
The Muddy Waters report comes at a delicate time for St. Jude, which is being acquired by Abbott for $25 billion. The offer swelled the St. Paul, Minnesota-based company's stock price by about 25 percent when it was announced on April 28. St. Jude shareholders are slated to receive $46.75 in cash and 0.8708 share of Abbott common stock, representing about $85 per St. Jude share, by the end of the year.
MedSec's Bone is a well-connected researcher and security executive who previously worked in risk management at companies including Bloomberg LP, the parent company of Bloomberg News. MedSec was founded in 2015 by Robert Bryan, a former portfolio manager at the Metaval Capital hedge fund whose career also included stints at Cyrus Capital and Goldman Sachs.
At issue is the remote home-monitoring equipment that is standard with pacemakers, which are used to help the heart beat at a healthy rate. Defibrillators that shock a quivering heart back into a normal rhythm and cardiac-resynchronization devices that coordinate the electrical pulses that run through the heart's chambers also rely on remote monitoring.
St. Jude's system, known as Merlin@home, has almost no security systems in place, according to the report from Muddy Waters and MedSec. It runs on outdated Linux software systems that use chips that can be purchased off-the-shelf, while its three rivals use proprietary or modified equipment, Block said.
"Nobody is close to being this bad," Block said, estimating that anyone with the skill level of a "bored teenager" could break into the home device.
The security flaws leave the lifesaving devices vulnerable to attacks that could wipe them out, cause them to malfunction or drain their batteries. This would mean patients have no protection if their heart gives out, according to the Muddy Waters report. The flaws and the experimental attacks MedSec carried out involved equipment that was in proximity, within a 50-foot radius.
Other work by the company indicated that hackers could, in theory, break into the equipment via the wireless lines of communication between the bedside transmitter and the St. Jude servers, allowing an attack that could be launched from much further afield.
MedSec's analysis of the St. Jude pacemakers found the devices so poorly protected that Muddy Waters determined the flaws amount to "likely gross negligence on the part of St. Jude over many years," Block said in the Bloomberg Television interview.
MedSec testers came to Muddy Waters because, Block said, if they had gone directly to the medical device maker, "St. Jude would sweep this under the rug. They felt that it's very important for users of these devices, for patients, to know about the risks. Our assessment, as well as that of MedSec, is that for a number of years St. Jude in this realm has been putting profits before patients."