Preview Newsletter
9/21
-
Carson Block's Attack on St. Jude Reveals a New Front in Hacking for Profit
Aug 25, 2016 | Bloomberg
By Jordan Robertson and Michael Riley
Share on Facebook Share on Twitter When a team of hackers discovered that St. Jude Medical Inc.’s pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn’t warn St. Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making proposal. -
Whiplashed investors stay skittish about St. Jude
Aug 26, 2016 | Reuters
By Lauren Hirsch and Carl O'Donnell
ne day after a short seller claimed that St. Jude Medical Inc's heart implants are vulnerable to deadly cyber attacks, investors appear most concerned about whether the accusation will derail St. Jude's $24 billion planned deal for Abbott Labs to buy it. St. Jude's stock at one point fell around 3 percent on Friday, though it ended the day slightly up, following a drop of around 5 percent on Thursday after Muddy Waters Capital leveled the accusation against St. Jude. The stock continues to trade well below its price on Wednesday of around $82 per share. -
St. Jude Denies Report Its Heart Devices Are Vulnerable to Cyberattacks
Aug 26, 2016 | Wall Street Journal
By Ezequiel Minaya
St. Jude Medical Inc. on Friday denied allegations made by a research firm that its pacemakers and other heart devices were vulnerable to hacking and other cybersecurity threats. -
Abbott’s No Good, Very Bad M&A Week
Aug 26, 2016 | New York Times
By Leslie Picker
Abbott Laboratories has announced two large acquisitions over the last year. In recent days, both deals have become major land mines. In January, it unveiled a $5.8 billion acquisition of Alere, which makes medical tests. Alere has been subjected to a series of regulatory inquiries over foreign sales practices, which caused its annual financial report to be delayed. Even though some of those investigations were known before the deal was signed, Abbott has since appeared to have buyer’s remorse. -
The hacking world has made other moves toward what some critics have viewed as risky disclosures in areas that involve physical safety. Last year two well-known researchers manipulated critical systems on a Jeep Cherokee with a journalist behind the wheel
Aug 26, 2016 | CNBC
By Michelle Fox
Shares of St. Jude Medical could drop sharply if the takeover of the company by Abbott Laboratories falls apart, Carson Block of Muddy Waters Capital told CNBC on Friday. -
Unusual stock move shakes up cyber community
Aug 26, 2016 | The hill
By Joe Uchill
An investment firm’s use of medical device security research has alarmed many within the cybersecurity and healthcare fields, and excited others. Muddy Waters Capital announced on Thursday that it had sold stock in the medical technology firm St. Jude Medical based on vulnerabilities in MedSec’s cybersecurity. Cardiac devices make up nearly 50 percent of St. Jude’s business, and an interruption in their sales could drastically affect the company's stock price. -
Shares of St. Jude Medical resume trading, recover losses
Aug 26, 2016 | CNBC
By Christine Wang
Shares of St. Jude Medical closed 0.2 percent higher, recovering earlier losses, after a temporary trading halt on Friday afternoon. The stock fell 2.5 percent in intraday trade before the halt. -
Claims of St. Jude device hack risk may affect Abbott acquisition
Aug 26, 2016 | Bloomberg
By Michelle Fay Cortez, Erik Schatzker, and Jordan Robertson
Carson Block, the renowned short-seller and founder of research firm Muddy Waters LLC, has taken a short position in St. Jude Medical Inc., denouncing the security of its cardiac devices in an effort that could derail the company's purchase by Libertyville Township-based Abbott Laboratories. In a report to investors, Block warned that tens of thousands of Americans are living with ticking time bombs: St. Jude pacemakers and defibrillators that are easily compromised, causing potentially fatal disruptions. -
A cyber investigation with legs?
Aug 26, 2016 | Politico
By Arthur Allen
SHORT-SIGHTED SHORT SALE? The big news in health IT Thursday occurred on Wall Street, where investor Muddy Waters announced that it was selling short shares of St. Jude Medical because of the lousy cybersecurity of the company’s medical devices. How lousy? Think “Homeland,” warmongering VPs with vulnerable pacemakers and the like. -
Muddy Waters claims device maker vulnerable to hackers
Aug 26, 2016 | Financial Times
By Hannah Huckler
High quality global journalism requires investment. Please share this article with others using the link below, do not cut & paste the article. See our Ts&Cs and Copyright Policy for more detail. Email ftsales.support@ft.com to buy additional rights. http://www.ft.com/cms/s/0/bfde006a-6b0d-11e6-ae5b-a7cc5dd5a28c.html#ixzz4KvYYOoWh Muddy Waters, the hedge fund, on Thursday claimed that a pacemaker manufacturer’s life-saving devices are vulnerable to hackers, the first time a shortseller has publicly used alleged cyber security vulnerabilities to put pressure on a stock to fall. -
A New Hacker Money-Making Strategy: betting against insecure companies on Wall Street
Sep 1, 2016 | Washington Post
By Andrea Peterson
For decades, there's been an unofficial truce between cybersecurity researchers and companies: When good guy hackers find a problem, they give companies a chance to fix it before going public. But a cybersecurity firm called MedSec just upended that truce. -
UPDATE: St. Jude Medical denies short-seller’s accusations
Aug 25, 2016 | Mass Device
By Brad Perriello
St. Jude Medical (NYSE:STJ) sharply rebutted allegations by a short-seller that nearly half of its cardiac rhythm management devices are extremely vulnerable to hackers. St. Jude Medical vehemently denied the charges, with their top R&D executive calling them “absolutely untrue.” -
St. Jude Medical (STJ) Mentioned as Short at Muddy Waters
Aug 25, 2016 | StreetInsider
St. Jude Medical (NYSE: STJ) was mentioned cautiously by short seller Muddy Waters Research. The report suggests that close to half of STJ’s revenue could disappear for approximately two years as the company's pacemakers, ICDs, and CRTs should be recalled amid cyberattack risk. -
Muddy Waters Spokesperson In An E-mail To Benzinga, Questions Independence Of University Of Michigan Study Regarding St. Jude Devices, Noting That They Are 'Platinum Members'
Aug 26, 2016 | Benzinga
By Javier Hasse
U.S. stocks were mixed on Friday trading, with the S&P 500 and Dow indexes closing down, and the Nasdaq slightly up, as speculation around the timing of an interest rate hike mounted following comments from key Federal Reserve officials. -
Is St. Jude A Lost Cause?
Aug 29, 2016 | Seeking Alpha
By David Pinsen
After Carson Block's short call against St. Jude Medical, the FT's Lex column took the other side, saying Abbott's pending acquisition of St. Jude provided a cushion for longs. Portfolio Armor's gauge of option market sentiment suggests that may not be the case. In most cases, stocks set to be acquired are extremely cheap to hedge. That wasn't the case for St. Jude Medical on Friday, as we show here. -
St. Jude Medical (STJ) Stock Lower, Refutes Allegations Made by Muddy Waters
Aug 30, 2016 | TheStreet
By Kaya Yurieff
Shares of St. Jude Medical (STJ) were down late Tuesday morning even as the company issued another statement in response to Carson Block's research firm Muddy Waters that it will lose more than half of its revenue because of device recalls.
National Coverage
Trade Coverage
Full Text of Stories Below
-
Carson Block's Attack on St. Jude Reveals a New Front in Hacking for Profit
Aug 25, 2016 | Bloomberg
By Jordan Robertson and Michael Riley
When a team of hackers discovered that St. Jude Medical Inc.’s pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn’t warn St. Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making proposal.
MedSec suggested an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with Block taking a short position against St. Jude. The hackers’ fee for the information increases as the price of St. Jude’s shares fall, meaning both Muddy Waters and MedSec stand to profit. If the bet doesn’t work, and the shares don’t fall, MedSec could lose money, taking into account their upfront costs, including research. St. Jude’s shares declined 4.4 percent to $77.50 at 1:40 p.m. in New York with more than 25 million shares traded.
In April, Abbott Laboratories announced a $25 billion acquisition of St. Jude, and the deal is expected to close by the end of the year. The information about the device vulnerabilities could put it in peril.
MedSec said it found security failures including a lack of encryption and the ability for unauthorized devices to communicate with the pacemakers and defibrillators, which, MedSec claims, could allow anyone to tap into implanted devices and cause potentially fatal disruptions. As scary as it sounds, hacking risks to medical devices have been publicized for nearly a decade and the risk to patient safety is still mostly theoretical to hundreds of thousands of people with St. Jude devices. But cybercriminals have started compromising radiology equipment, blood gas analyzers and other machines inside hospitals and nursing homes to steal data for identity theft.
"St. Jude Medical takes the security of devices and their data very seriously," Candace Steele Flippin, St. Jude’s vice president of external communications, said in a statement. "Protection of confidential patient and consumer information is a high priority for us, and we will remain vigilant to the ever-increasing sophistication of those seeking unlawful access to such data. St. Jude Medical has an ongoing program to perform security testing on our medical devices and networked equipment."
Bringing this kind of information to an investment firm is highly unorthodox. For the last 20 years, professional cybersecurity researchers have used one of two well-worn methods to monetize bugs they find. The first is disclosing them to companies for free, or taking a small payment in the form of a "bug bounty." The bugs get fixed and companies credit the researchers publicly, which creates opportunities for conference talks that lead to jobs. But many companies don’t cooperate.
The second way is to sell the information into the gray market of government agencies and cyber-weapons dealers, where good attack code can fetch hundreds of thousands of dollars. How they’re used is out of the researchers’ control.
MedSec is taking a path that some frustrated security experts believe is the only way to create fundamental change: find a way to impose significant monetary penalties on companies it believes are negligent when it comes to protecting consumers. But the startup is doing so in ways that violate some of the most basic standards of ethical security research and in an industry where the stakes are especially high.
The fundamental precept of that approach is to give the makers of digital devices and software a chance to fix flaws before cybercriminals and hackers employed by nation states can do damage with the new knowledge. MedSec Chief Executive Officer Justine Bone said St. Jude’s past record of ignoring warnings and the chance it could sue MedSec to keep it quiet precluded that approach. MedSec and Muddy Waters cited a 2014 Homeland Security investigation into St. Jude and other device makers’ cybersecurity, reported by Reuters, as a warning that could have been heeded.
"We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing," said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. "We partnered with Muddy Waters because they have a great history of holding large corporations accountable."
"As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts," Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor’s visit, she said.
The fact that it took months of research for her team to identify and exploit the technology’s precise flaws should allow enough time for that to happen. "We see no evidence of an immediate threat," Bone said.
MedSec was founded in 2015 by Robert Bryan, a former portfolio manager at Metaval Capital LLC whose career also included stints at Cyrus Capital and Goldman Sachs. The Miami-based company advertises an array of services, from penetration tests against health-care companies’ corporate networks to secure software development for medical devices. Bone said that partnering with a short seller may be a one-time event.
Conducting expensive research on medical devices has never been a lucrative pursuit. Bugs can’t be sold to anti-virus companies and device makers typically don’t employ large security staffs or hire high-paid consultants the way banks do. With the Muddy Waters deal, MedSec has created a path to a potentially large payday that circumvents those hurdles.
The hacking world has made other moves toward what some critics have viewed as risky disclosures in areas that involve physical safety. Last year two well-known researchers manipulated critical systems on a Jeep Cherokee with a journalist behind the wheel, causing it to stop in traffic and triggering a recall of 1.4 million vehicles. But the combination of a potential lethal vulnerability in medical technology with a bet on the device maker’s stock is an unprecedented event, one likely to raise tricky questions for judges and federal regulatory agencies, said Jacob Olcott, a vice president at BitSight Technologies, a Boston-based cybersecurity ratings firm.
"This represents a watershed moment for cybersecurity disclosure and public markets and it raises fundamental issues that the SEC is going to have to spend more time and effort addressing," Olcott said. "But it’s pretty clear if security researchers think they have to work with a short seller to address the security posture of a major company, something is wrong."
Block has a small window of time for his bet to pay off. He said in an interview with Bloomberg Television that in addition to the short trade against St. Jude he is also long Abbott Laboratories, a hedge if his thesis doesn’t play out as expected.
MedSec and Muddy Waters said they are withholding key details of the vulnerabilities from the public but are alerting the U.S. Food and Drug Administration, which regulates medical devices, about the flaws. Bone said she is prepared for MedSec’s decision to generate criticism but argued that the old models of trying to pressure companies to make fixes don’t always work. "It’s time for some drastic action," she said.
-
Whiplashed investors stay skittish about St. Jude
Aug 26, 2016 | Reuters
By Lauren Hirsch and Carl O'Donnell
n" style="transform: translate3d(0px, 0px, 0px);">ne day after a short seller claimed that St. Jude Medical Inc's heart implants are vulnerable to deadly cyber attacks, investors appear most concerned about whether the accusation will derail St. Jude's $24 billion planned deal for Abbott Labs to buy it.
St. Jude's stock at one point fell around 3 percent on Friday, though it ended the day slightly up, following a drop of around 5 percent on Thursday after Muddy Waters Capital leveled the accusation against St. Jude. The stock continues to trade well below its price on Wednesday of around $82 per share.
St. Jude called the allegations "false and misleading."
St. Jude in April agreed to sell itself to Abbott, and the deal was widely considered a slam dunk before the cyber security concerns were raised.
"It's hard to imagine that this could scuttle the deal," said one investor, who asked to remain anonymous because he wasn't authorized to speak with the press. "But there are a few paths that could lead to problems."
Abbott could decide to back out of the St. Jude deal or push for a lower valuation "if they were to conclude remediation steps must be taken with St. Jude's technology," Jason Mills, an analyst at Canaccord Genuity, said in a note.
One concern being voiced is that the U.S. Food and Drug Administration could demand a full-scale product recall, which in turn could trigger a "material adverse change" clause in St. Jude's merger agreement.
That would give Abbott the ability to walk away from the deal, according to investors and analysts interviewed by Reuters.
If the deal were called off due to an adverse event, St. Jude would probably fall below the approximately $60 per share that it was trading at before the Abbott deal was announced, investors said.
A forced recall, though, is unlikely, according to Mills. The FDA issued its first guidance on managing cybersecurity in medical devices only eight months ago, and is still seen primarily as playing an advisory role in the area.
The more likely solution to any concerns about cyber security would be a software update, which is relatively inexpensive, said another investor, who asked not to be named because he wasn't authorized to speak with the press. (Reporting by Carl O'Donnell in New York; Additional reporting by Mike Erman in New York; Editing by Eric Effron and James Dalgleish)
-
St. Jude Denies Report Its Heart Devices Are Vulnerable to Cyberattacks
Aug 26, 2016 | Wall Street Journal
By Ezequiel Minaya
St. Jude Medical Inc. on Friday denied allegations made by a research firm that its pacemakers and other heart devices were vulnerable to hacking and other cybersecurity threats.
“St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” the company said Friday.
The medical-device maker’s comments follow a report by Muddy Waters Capital LLC, which is known for shorting stocks, or betting that a company’s share price will fall. Muddy Waters has said it has a short position in St. Jude.
In its report, Muddy Waters said it had seen demonstrations of cyberattacks against St. Jude devices, citing the work of cybersecurity startup MedSec. A call seeking a response from a Muddy Waters representative on St. Jude’s comments wasn’t immediately returned.
After the release of the Muddy Waters report on Thursday, St. Jude’s stock slipped 5% and fell an additional 2.6% Friday before the medical-device maker issued its response.
Following the St. Jude statement, the company’s stock ended the day at $78.01, up 19 cents from its close Thursday.
“We conclude that the report is false and misleading,” St. Jude officials said.
In its report, Muddy Waters claims that St. Jude’s heart devices, such as its defibrillators and pacemakers, are vulnerable to two types of cyberattacks: one in which the device’s system is “crashed” and a second in which the battery of the device is drained.
Muddy Waters said that the vulnerable heart devices represented about 46% of St. Jude’s total 2015 revenue of $5.54 billion. The firm added that even without a recall of devices “the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients.”
St. Jude, in its defense, said it has worked with various experts and regulators involved in cybersecurity to build safeguards into its devices. “The flawed test methodology on outdated software demonstrates fundamental lack of understanding of medical device technology,” St. Jude said of the Muddy Waters report.
St. Jude also said Muddy Waters’s battery-draining claims amounted to exaggerations because an attack would require a hacker to be within 7 feet of a device for several days to have a chance to be successful.
“In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients,” the company said.
The St. Paul, Minn.,-based St. Jude is in the process of getting bought by Illinois-basedAbbott Laboratories in a cash-and-stock deal valued at $25 billion. An Abbott representative was unavailable for comment Friday.
-
Abbott’s No Good, Very Bad M&A Week
Aug 26, 2016 | New York Times
By Leslie Picker
Abbott Laboratories has announced two large acquisitions over the last year. In recent days, both deals have become major land mines.
In January, it unveiled a $5.8 billion acquisition of Alere, which makes medical tests. Alere has been subjected to a series of regulatory inquiries over foreign sales practices, which caused its annual financial report to be delayed. Even though some of those investigations were known before the deal was signed, Abbott has since appeared to have buyer’s remorse.
When asked in a conference call in April if Abbott was committed to closing the deal with Alere, Miles D. White, Abbott’s chairman and chief executive, declined to comment. Alere later released a statement saying that Abbott had requested the two terminate their agreement, and that Alere hadrejected that request.
That month, Abbott agreed to purchase St. Jude Medical for $25 billion. This deal was seen as an opportunity for Abbott to propel its position in cardiovascular devices.
But analysts became concerned with Abbott’s audacious plans for taking on debt to finance two huge deals at the same time.
On Thursday, problems within both target companies surfaced.
Alere filed a complaint in Delaware Chancery Court, saying Abbott had not taken the necessary steps, including obtaining antitrust approval, to close their deal. No further details were provided, and the contents of the case will be sealed until next week.
Earlier that day, an investor disclosed a report saying that St. Jude Medical’s pacemakers were vulnerable to cyberattacks, and therefore should be recalled. The investor, a so-called short-seller called Muddy Waters Research, said that half of St. Jude Medical’s revenue could disappear for two years as a result.
Les Funtleyder, a health care portfolio manager at E Squared Asset Management, said that Alere was a case study in what not to do with a transaction, given a breakdown somewhere in due diligence. Mr. Funtleyder said the risks surrounding St. Jude Medical would have been more difficult to foresee, but that Abbott may have lost some clout with investors, regardless.
“Maybe they did these deals out of desperation to bridge a growth gap or something, in terms of being willing to overlook things,” said Mr. Funtleyder, who also is an adjunct professor of public health at Columbia University. “Wall Street is not going to think this is an honest mistake.”
The health care industry has been undergoing extensive consolidation over the last few years, driven in part by larger companies buying smaller ones to help cut costs and fuel growth. Abbott has been a key player in the flurry of deal activity.
“Alere’s lawsuit is without merit,” an Abbott spokeswoman said in an emailed statement. “Abbott is compliant with its obligations under the merger agreement and continues to work toward regulatory approvals, despite Alere’s nearly six-month delay in filing its 2015 10-K.”
The issues surrounding St. Jude Medical are a bit more nuanced. The report disclosing problems with St. Jude Medical’s cardiac devices came from an investment firm, which had bet on the decline of St. Jude shares. The founder of that firm, Carson Block, received the information from MedSec, which is a cybersecurity research firm. After MedSec discovered the vulnerabilities, it contacted Mr. Block. Justine Bone, MedSec’s chief executive, said on Bloomberg TV on Thursday that MedSec also benefited from the decline in St. Jude’s stock price this week.
St. Jude Medical said in a statement on Friday that the Muddy Waters and MedSec report was “false and misleading.” Abbott’s spokeswoman said, “We continue to collaborate with St. Jude to advance the transaction.”
Even if the report were true, that alone would not give Abbott a way out of the deal if it wanted one. If the devices were recalled, Abbott might be able to terminate the deal, but there would be no guarantee.
The distinction analysts make between St. Jude Medical and Alere is that the issues with Alere were known before Abbott signed the deal.
“It’s unusual to have these events, but it’s also unusual to have two major deals pending,” said David Toung, an analyst at Argus Research. “Abbott certainly has its hands full in deciding which way it really wants to go, which companies it wants to acquire.”
-
Aug 26, 2016 | CNBC
By Michelle Fox
Shares of St. Jude Medical could drop sharply if the takeover of the company by Abbott Laboratories falls apart, Carson Block of Muddy Waters Capital told CNBC on Friday.
St. Jude agreed in April to be purchased by Abbott Laboratories.
"If the deal were to break, I think that we could be $55 or lower," Block said in an interview with "Closing Bell."
Muddy Waters published a report announcing its short position in St. Jude on Thursday after receiving a report by cybersecurity firm MedSec that claimed St. Jude's cardiac devices are vulnerable to cyberattacks.
MedSec CEO Justine Bone told "Closing Bell" on Friday that she made the unconventional decision to go to Muddy Waters instead of St. Jude with the findings because St. Jude had a history of not responding to security concerns.
"We have not seen St. Jude raise the bar, unlike some of their competitors who have put some basic protections in place," she alleged.
Block also defended his decision to not approach St. Jude with the findings and instead potentially profit by shorting the stock.
"This isn't an oversight or small little hole that you have to look very hard to find. These are gaping holes," he said. "This is a company that will ultimately be held to be grossly negligent."
On Friday, St. Jude disputed the allegations made by Muddy Waters Capital and MedSec.
"We have examined the allegations made by Muddy Waters Capital and MedSec ... and we conclude that the report is false and misleading," it said in a detailed statement.
It called the test methodology used by MedSec "flawed" and said its software has been evaluated by several independent organizations.
"St. Jude Medical will remain ever vigilant and dedicated to patient safety," the statement said.
Shares of St. Jude were temporarily halted Friday afternoon before resuming trading and closing up 19 cents at $78.01.
-
Unusual stock move shakes up cyber community
Aug 26, 2016 | The hill
By Joe Uchill
An investment firm’s use of medical device security research has alarmed many within the cybersecurity and healthcare fields, and excited others.
Muddy Waters Capital announced on Thursday that it had sold stock in the medical technology firm St. Jude Medical based on vulnerabilities in MedSec’s cybersecurity. Cardiac devices make up nearly 50 percent of St. Jude’s business, and an interruption in their sales could drastically affect the company's stock price.
After its sell-off, Muddy Waters Capital described the vulnerabilities on its website.
The report reads, in part: “We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users. Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house [the] exploits that help to enable these attacks.”
According to the report, Muddy Waters bet against St. Jude when its stock was at $81.88.
By 9:45 a.m. on Friday, it had dropped to $76.07.
Beyond the immediate hit, Muddy Waters anticipates a prolonged recall process. There could also be fines and lawsuits.
St. Jude was in the process of being acquired by Abbott Labs in a $25 billion deal that valued the company at around $85 a share.
On Friday, many within the security community were still trying to grasp the impact of Muddy Water’s move.
Some called it “naked greed” at safety’s expense, something that went against the community's norms.
Others saw it as a way to “do good by doing bad,” as Duo Security’s Chief Officer Dug Song tweeted, a way to encourage better security in companies fearing their bottom line.
“I wouldn’t say it’s good,” said Northeastern University law professor Andrea Matwyshyn. “I would say it’s inevitable.”
The action by Muddy Waters was unusual.
Usually, security researchers at least try to act in the best interests of device manufacturers and notify a company in some way of a security flaw in its products. A few sell the bugs to governments who use them in espionage.
Matwyshyn noted that the Securities Exchange Commission has advocated for more transparency about security risks in products. For the past few years, Matwyshyn has held conversations with investors trying to incorporate cybersecurity into investment schemes.
“This did not come out of left field,” she said.
She said researchers have for years been rebuffed by companies when they try to notify them of security problems for free. If altruism does not work in getting vulnerabilities fixed, she said, it should not be a surprise that researchers turn to the free market.
Andy Sellars, director of the new cyber law clinic created by Boston University and MIT, said the that Muddy Waters’ model “was incredibly short-sighted.”
The right for researchers to investigate medical devices, cars and other critically important technologies for security problems is not a given. Until last year, research into the security of connected devices was in many cases thwarted by copyright law, but it’s now legal under a temporary exemption that might not be renewed.
“It’s staggering to me a company like MedSec would do this. It will only increase the calls that companies like MedSec need to be regulated,” he said.
Joshua Corman, the director of cyber statecraft at the Atlantic Council and co-founder of the security advocacy group I Am The Cavalry, said the legality is not the only tenuous relationship at stake when a MedSec takes this kind of action.
Though groups like I Am The Cavalry have not solved the problem of companies willfully ignoring security, they have made inroads. Medical technology manufacturers, including Philips and Johnson & Johnson now invite researchers to disclose vulnerabilities for repair. Corman said those inroads exist largely because they have eased the adversarial relationship between researchers and companies.
“Finger-pointing never worked; empathy did,” he said.
-
Shares of St. Jude Medical resume trading, recover losses
Aug 26, 2016 | CNBC
By Christine Wang
Shares of St. Jude Medical closed 0.2 percent higher, recovering earlier losses, after a temporary trading halt on Friday afternoon.
The stock fell 2.5 percent in intraday trade before the halt.
On Thursday, Muddy Waters Capital published a report announcing its short position in St. Jude. The firm alleged that the company's cardiac devices are vulnerable to cyber attacks, citing a study conducted by cybersecurity research firm MedSec.
These alleged security issues mean that "St. Jude's business faces some significant risk of recall for an extended period of time," Carson Block, founder of Muddy Waters, said in an interview on CNBC's "Closing Bell."
MedSec was unable to find encryption or authentication built into the protocol of St. Jude's devices, CEO Justine Bone said on "Closing Bell." She said that while her firm was able to find a few vulnerabilities in all the leading manufacturers of cardiac devices, the issues with St. Jude's devices were exceptional.
"St. Jude Medical really stood out as exceptionally falling far behind when it comes to their attention to the integrity and security of their product range, which is why we felt that we had to take the drastic action that we did," Bone said.
On Friday, St. Jude refuted Muddy Water and MedSec's claims, saying that while the company "would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading."
St. Jude said it is standing "behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions." In particular, the company took issue with the testing methodology, saying that the report lacks detail and "includes many inconsistencies."
-
Claims of St. Jude device hack risk may affect Abbott acquisition
Aug 26, 2016 | Bloomberg
By Michelle Fay Cortez, Erik Schatzker, and Jordan Robertson
Carson Block, the renowned short-seller and founder of research firm Muddy Waters LLC, has taken a short position in St. Jude Medical Inc., denouncing the security of its cardiac devices in an effort that could derail the company's purchase by Libertyville Township-based Abbott Laboratories.
In a report to investors, Block warned that tens of thousands of Americans are living with ticking time bombs: St. Jude pacemakers and defibrillators that are easily compromised, causing potentially fatal disruptions.
"The allegations are absolutely untrue," said Phil Ebeling, St. Jude's chief technology officer. "There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices."
If proven, Block's claims could derail Abbott's plan to buy St. Jude or lead Abbott to renegotiate the deal. This could cause St. Jude shares to fall more than the 5 percent they declined in New York Thursday. The stock closed at $77.82, well below the original value of the deal, approximately $85 per share.
Abbott declined to comment, company spokesman Scott Stoffel said in an email.
Many in the technology and medical communities say the risk of such hacks is remote at best. But Block, no stranger to drawn-out corporate feuds, says in a 33-page report that St. Jude's deficiencies are so great -- and stand in such sharp contrast to offerings from rivals including Medtronic Plc -- that its equipment should be recalled and sales of the devices that account for 45 percent of St. Jude's revenue should be halted until the problem is fixed. That could take years.
"The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction," Block said in an interview with Bloomberg Television. St. Jude "should stop selling these devices until it has developed a new secure communication protocol."
Muddy Waters became aware of the potential flaws after a startup cybersecurity company, Miami-based MedSec Holdings Inc., approached the short-selling firm three months ago. The hackers had been working for more than a year, ferreting out security flaws in medical devices made by four leading companies. One stood out from the rest: St. Jude's products had an "astounding" level of problems, including lack of encryption and authentication between devices, which could allow hackers to tap into implanted devices, said MedSec Chief Executive Officer Justine Bone, herself an experienced hacker.
Bone said her company's compensation is tied to the success of Block's trade, an arrangement she knows will lead to some criticism. But Bone said partnering with Block was the most powerful way to inflict pain on St. Jude for what she called its "negligent level of attention to cybersecurity."
While Block has seized on this attention-grabbing issue, the actual risk of hacking attacks against St. Jude patients is mostly theoretical, other cybersecurity experts say. Most hacks are criminal in nature, driven by profit motive. There have been no publicly documented cases of medical devices being hacked to cause patient harm.
The lack of a clear business model for making money from hacking medical devices suggests the types of mass attacks that plague personal computers are unlikely, said Billy Rios, a top medical-device hacker.
The U.S. Food and Drug Administration declined to comment specifically on St. Jude's devices, spokeswoman Andrea Fischer said in an email. The agency did say that it requires companies to be vigilant and correct vulnerabilities in a proactive manner, that it has taken action to ensure the safety of medical devices and that it will continue to work collaboratively with the industry, cybersecurity experts and others to protect public health.
Muddy Waters commands respect in the marketplace, given Block's record when going on the offensive. He first came to fame five years ago with a series of successful short-selling campaigns against Chinese companies listed in North America. The biggest was Sino-Forest Corp., the Hong Kong-based tree grower whose market value went from more than $6 billion to nothing after Muddy Waters questioned its accounting.
At times, Block, 40, has been among a small group of short sellers whose name alone on a report was enough to sink shares. But his wins have been fewer in recent years. Efforts to drive down a Singapore commodity trader, Olam International Ltd., blew up when a state-owned investment firm took control of the company. American Tower Corp., a Boston-based operator of cellphone antennas, has rallied 55 percent since Block announced a campaign in July 2013.
The fear of hacking medical devices, moreover, is nothing new. Former U.S. Vice President Dick Cheney famously had the Wi-Fi on his pacemaker turned off in 2007 precisely to prevent such an attack. The medical-device industry has been on notice since 2008 about these kinds of hacking risks, when academics from the University of Washington, University of Massachusetts and Harvard Medical School published a study showing that a popular type of pacemaker and defibrillator could be remotely reprogrammed to deliver deadly shocks. Since then, there have been a slew of reports about dangers in other products, from insulin pumps to hospital monitors to surgical equipment.
The Muddy Waters report comes at a delicate time for St. Jude, which is being acquired by Abbott for $25 billion. The offer swelled the St. Paul, Minnesota-based company's stock price by about 25 percent when it was announced on April 28. St. Jude shareholders are slated to receive $46.75 in cash and 0.8708 share of Abbott common stock, representing about $85 per St. Jude share, by the end of the year.
MedSec's Bone is a well-connected researcher and security executive who previously worked in risk management at companies including Bloomberg LP, the parent company of Bloomberg News. MedSec was founded in 2015 by Robert Bryan, a former portfolio manager at the Metaval Capital hedge fund whose career also included stints at Cyrus Capital and Goldman Sachs.
At issue is the remote home-monitoring equipment that is standard with pacemakers, which are used to help the heart beat at a healthy rate. Defibrillators that shock a quivering heart back into a normal rhythm and cardiac-resynchronization devices that coordinate the electrical pulses that run through the heart's chambers also rely on remote monitoring.
St. Jude's system, known as Merlin@home, has almost no security systems in place, according to the report from Muddy Waters and MedSec. It runs on outdated Linux software systems that use chips that can be purchased off-the-shelf, while its three rivals use proprietary or modified equipment, Block said.
"Nobody is close to being this bad," Block said, estimating that anyone with the skill level of a "bored teenager" could break into the home device.
The security flaws leave the lifesaving devices vulnerable to attacks that could wipe them out, cause them to malfunction or drain their batteries. This would mean patients have no protection if their heart gives out, according to the Muddy Waters report. The flaws and the experimental attacks MedSec carried out involved equipment that was in proximity, within a 50-foot radius.
Other work by the company indicated that hackers could, in theory, break into the equipment via the wireless lines of communication between the bedside transmitter and the St. Jude servers, allowing an attack that could be launched from much further afield.
MedSec's analysis of the St. Jude pacemakers found the devices so poorly protected that Muddy Waters determined the flaws amount to "likely gross negligence on the part of St. Jude over many years," Block said in the Bloomberg Television interview.
MedSec testers came to Muddy Waters because, Block said, if they had gone directly to the medical device maker, "St. Jude would sweep this under the rug. They felt that it's very important for users of these devices, for patients, to know about the risks. Our assessment, as well as that of MedSec, is that for a number of years St. Jude in this realm has been putting profits before patients."
-
A cyber investigation with legs?
Aug 26, 2016 | Politico
By Arthur Allen
SHORT-SIGHTED SHORT SALE? The big news in health IT Thursday occurred on Wall Street, where investor Muddy Waters announced that it was selling short shares of St. Jude Medical because of the lousy cybersecurity of the company’s medical devices. How lousy? Think “Homeland,” warmongering VPs with vulnerable pacemakers and the like.
… The report by he investor and the security researcher MedSec said that pacemakers, defibrillators and other cardiac devices made by St. Jude Medical contained “grossly inadequate” cybersecurity compared to those of other leading manufacturers such as Medtronic. St. Jude Medical's stock ended the day around $78, a loss of five percent on the day, after what seems to have been the first activist investor attack over cyber concerns.
The move raised questions about just how bad St. Jude Medical’s security is when compared to the industry at large, and whether the action was fair—especially when MedSec CEO Justin Bone revealed that her company’s compensation from Muddy Waters was tied to the stock trade. Perhaps more importantly, though, it suggested that investors—and perhaps SEC action--could become another tool to force the health care sector to spend more energy (and money) on cybersecurity.
… First the critics:
— “My research tells me that if you look at the whole population of medical device makers, probably 80 percent of them would have similar problems,” said Mandeep Khera, chief marketing officer of Arxan Technologies. “Singling [St. Jude] out is not fair unless you publish a report that lists every single company.” Ethical practice requires security investigators to inform their targets of any problems and allow time for remediation before releasing findings, and it’s not clear MedSec did that, Khera notes. (St. Jude Medical called the report “absolutely false.”)
— Josh Corman, a “white hat” hacker who is a member of HHS’s Cybersecurity Task Force, found the report nerve-wracking. “Cybersecurity in the whole industry is terrible. This isn’t the only company with problems,” he said. “This will raise questions and awareness, which may be good, but it will also create an adversarial relationship. It could be overly worrisome to patients and serve as an advertisement to adversaries.” Medical device companies have shown a willingness recently to acknowledge security gaps, Corman said, but it will take years to fix them. “This is kicking them in the middle of a discussion,” he said.
… Other cybersecurity experts made the point that, whether over-the-top or not, the short sale could be a sign of things to come.
— Lisa Gallagher, who heads healthcare privacy and cybersecurity work at PwC, said she suspected that such inquiries are becoming "standard due diligence for investment firms, underwriters, analysts, etc."
— Jacob Olcott, vice president for security ratings firm BitSight, said the report and short-sale signal potential SEC intervention. That agency has five-year-old guidance that requires companies to disclose cybersecurity risks to their investors, and “any reasonable read of the guidance suggests that manufactured devices fall under the concept SEC laid out,” says Olcott, a former Senate legal counselor. The short, and the fallen stock price — if it stays down — suggest the belief that St. Jude Medical will have to recall devices, Olcott says. “What if there’s no capability to do a remote update of the device? What will FDA do? A recall was clearly the calculation of the investor who made the short.”
This could be new territory for the device industry …
-
Muddy Waters claims device maker vulnerable to hackers
Aug 26, 2016 | Financial Times
By Hannah Huckler
Muddy Waters, the hedge fund, on Thursday claimed that a pacemaker manufacturer’s life-saving devices are vulnerable to hackers, the first time a shortseller has publicly used alleged cyber security vulnerabilities to put pressure on a stock to fall.
The fund, known for making claims of fraud atChinese public companies, has teamed up with security research company MedSec as it targetsSt Jude Medical— alleging flaws that could be used to crash cardiac devices, make them pulse irregularly or run their batteries down so they stop working.
Shares in St Jude Medical — whichAbbott Laboratoriesagreed totake over for $30bnin April — fell about 5 per cent to $77.82 on Thursday, despite the company denying the security problems.
Phil Ebeling, St Jude Medical’s chief technology officer, said the allegations were “absolutely untrue” — there were several layers of security measures in place and the company conducts ongoing security assessments. There is no known example of a hacker using the flaw to compromise patient care.
Justine Bone, chief executive of MedSec, which will be paid by Muddy Waters in connection with the investment, said the public needed to know about the flaws.Muddy Watersestimates there are about 260,000 such devices in the US.
“These are massive companies profiting off low-quality technologies putting patients at risk,” she said.
Cyber security experts have been warning aboutpotential flaws in medical devices, which are now often connected to the internet, arguing that manufacturers have lagged behind the software industry in ensuring devices can be protected from hackers. But most researchers who find vulnerabilities report them directly to the manufacturer for fixing before details are published, so that hackers cannot take advantage.
Muddy Waters did not inform St Jude Medical before publishing the report but said it had sent details of the vulnerabilities to the US Food and Drug Administration, which regulates medical devices.
In a report, Muddy Waters says it believes there is a “strong possibility” that almost half of St Jude Medical’s revenue will disappear for about two years, the time it estimates it could take to fix the problem in the ‘Merlin@Home’ device that communicates with the pacemakers.
It said these devices could be hacked from up to 50ft away, with hackers gaining access within 10 minutes because of unencrypted software and the lack of an authentication system, such as a password.
Dr Hemal Nayak, a cardiac electrophysiologist who advised MedSec, said he believed patients should disconnect these units. He said he would not implant the St Jude Medical pacemakers in patients until the problem was fixed.
“We have little doubt that St Jude Medical is about to enter a period of protracted litigation over these products,” Muddy Waters wrote in its report.
Joshua Corman, director of the cyber statecraft programme at the Atlantic Council think-tank, has been working with manufacturers and regulators to improve the security of so-called ‘Internet of Things’ devices, including medical equipment. He said that in the past three years he had seen medical device manufacturers wake up to security threats and start working more closely with security researchers, who probe products to find flaws in the hope of fixing them.
Mr Corman criticised MedSec for putting the information out before telling the device maker. “If you don’t tell anybody except for investors, you are optimising for profitability, not patient safety,” he said.
Jacob Olcott is vice-president of security ratings at BitSight, a cyber security company. He helped shape Securities and Exchange Commission guidance on what kinds of cyber security threats companies must declare while in a previous job as legal adviser to the Senate commerce committee.
He said a cyber security researcher teaming up with a market participant was “unprecedented”. More short-sellers could follow in Muddy Waters’ footsteps and start looking for cyber security flaws, he said. “A shortseller’s interest is probably peaked by this.”
-
A New Hacker Money-Making Strategy: betting against insecure companies on Wall Street
Sep 1, 2016 | Washington Post
By Andrea Peterson
For decades, there's been an unofficial truce between cybersecurity researchers and companies: When good guy hackers find a problem, they give companies a chance to fix it before going public.
But a cybersecurity firm called MedSec just upended that truce.
Instead of following industry traditions by alerting St. Jude Medical when researchers found alleged bugs in the company's implantable heart equipment, MedSec struck a deal with a short-seller called Muddy Waters Research. The investment firm would make the vulnerabilities public in exchange for giving the cybersecurity firm a cut of the profits Muddy Waters made from betting against the medical device maker's stock, MedSec chief executive Justine Bone said in an interview. The arrangement was first reported byBloomberg News.
The deal represents a potentially lucrative new strategy for monetizing cybersecurity research. But some experts question the ethics of the agreement and worry it may lead other hackers to seek profits rather than the security of products.
Bone said the agreement with Muddy Waters is partially a way to recoup the costs from spending a year and a half researching medical-device security. But the decision to go public was also an accountability measure: Her team was alarmed by the problems they found in St. Jude devices and was worried patients wouldn't know about risks lurking inside their own chests, Bone said.
“We felt that if we were to take a traditional course and engage directly with [St. Jude Medical] — as others had done before — it was highly likely or almost certain that we would get hushed up and it would be brushed aside,” she said, citing a 2014 Reuters report about the Department of Homeland Security investigating security flaws in St. Jude’s products.
MedSec demonstrated that some of the medical device maker’s implantable heart equipment has potentially fatal flaws — leaving them vulnerable to attacks that could speed up pacemakers to dangerously fast rates or quickly drain devices' batteries — Muddy Waters alleged in a report released last week. The investment firm said the issues could cause St. Jude to lose roughly half of its revenue for two years.
The medical device maker's stock tumbled 8 percent in the hours after Muddy Waters’ announcement. It also temporarily halted trading Friday. Although trading has since resumed, the company’s value is still recovering during a critical period as it finalizes a deal to be acquired by health giant Abbott.
St. Jude vehemently denied Muddy Waters's allegations, calling them “false and misleading” in a statement on its website, and raised questions about MedSec’s methodology. St. Jude Medical also said it works with “third-party experts, researchers, government agencies and regulators in cybersecurity” to protect its devices and asked those who spot a potential security vulnerability to contact the company directly so it could verify the problem.
Muddy Waters fired back Monday with a new report critiquing St. Jude's response and a video the firm says demonstrates the alleged attacks. But Tuesday, a team of researchers at the University of Michigan who attempted to replicate MedSec's research called it inconclusive. In a statement, Muddy Waters said the Michigan research did "not attempt to re-create the attack and does not address the issues" outlined in its latest video.
The Food and Drug Administration told The Washington Post it is working with the Department of Homeland Security to investigate the claims in the Muddy Waters report, but it advised patients with St. Jude devices to continue using them as instructed by their doctors. Neither agency was informed about the report until the day it was made public, according to Bone.
Although the specifics of the alleged problems are still in limbo and the details about how much Muddy Waters and MedSec have gained and stand to gain are unclear, many in the security community have raised concerns about how MedSec disclosed its research.
Kevin Fu, a Michigan professor who led the team that tried to verify MedSec's findings, called MedSec's approach "certainly unorthodox" and could not recall any other time he'd seen "a security researcher funded by a short seller to disclose something in this manner.”
Yet the idea isn’t totally novel: Chatter about using bugs to make money by manipulating stocks has been floating around security conferences for years, Veracode chief technology officer Chris Wysopal told The Post. Notorious Internet provocateur Andrew Auernheimer even claimed that he planned to set up a hedge fund to short companies with security flaws after hacking charges against him were overturned in 2014.
But experts think MedSec is the first company to try out the strategy publicly.
Joshua Corman, director of the Atlantic Council’s Cyber Statecraft Initiative and founder of a group focused on cybersecurity and physical safety called I Am the Cavalry, said he is "greatly" concerned by the precedent it set.
He worries that MedSec and Muddy Waters’ tactics will undermine efforts to build trust in the medical device security market. “This has now potentially created an adversarial relationship again where white hat hackers can be viewed as opportunistic or greedy,” he said, using a term for cybersecurity specialists who assess the vulnerabilities of systems before others can exploit them.
But Corman's even more concerned that users will be left at risk if researchers decide to try their luck on Wall Street instead of quietly helping companies patch up their systems — especially with technology where people’s lives are on the line. If companies don't know about security flaws until they've already been made public, bad actors could take advantage of problems while developers scramble to come up with a fix, Corman said.
“Where is the discussion about patient safety and the devices that are currently in people’s chests?” he said.
Bone argued MedSec did patients a service by telling them what St. Jude would not — and added that the information disclosed through Muddy Waters didn’t include enough detail to put patients at immediate risk.
But Fu and Corman questioned why Bone didn't reach out to the FDA about their findings in advance. The agency often works with researchers who think they have found critical digital security problems in life-saving technology. That’s the approach Fu has taken when he has found technical issues with implantable medical devices in the past, he said — in part because he “didn’t want to cause unneeded alarm to patients.”
Suzanne Schwartz, who leads the FDA's medical device cybersecurity initiative, expressed disappointment at MedSec's tactics. "Obviously, this type of disclosure we would not consider to be favorable to improving or strengthening the medical device ecosystem," she told The Post.
The agency has been working to improve how it handles the high-tech risks that come with digital medical devices for years. Just this January, the FDA released draft guidance for how manufacturers should manage cybersecurity for medical devices already on the market.
A key component of the draft guidance is "establishing and supporting formal policies for coordinated vulnerability disclosure" where researchers and manufacturers collaborate to identify and mitigate digital threats before they can harm patients, the FDA told The Post.
-
UPDATE: St. Jude Medical denies short-seller’s accusations
Aug 25, 2016 | Mass Device
By Brad Perriello
St. Jude Medical (NYSE:STJ) sharply rebutted allegations by a short-seller that nearly half of its cardiac rhythm management devices are extremely vulnerable to hackers.
St. Jude Medical vehemently denied the charges, with their top R&D executive calling them “absolutely untrue.”
Muddy Waters, the firm founded by well-known short-seller Carson Block, issued a report today accusing Little Canada, Minn.-based St. Jude of being “grossly negligent” in failing to safeguard its Merlin@home device, which connects with implanted pacemakers and defibrillators. The short-seller wants to disrupt the pending, $25 billion acquisition of St. Jude by Abbott (NYSE:ABT); Block is long on ABT shares, he told Reuters.
The Merlin@home devices “can be exploited to cause implanted devices to malfunction and harm users. We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable,” according to the Muddy Waters report.
“The vulnerabilities result from an apparent lack of device security; and, the communication protocols for the Cardiac Device ecosystem – which we believe lacks basic protections such as encryption and authentication – are in fact compromised,” according to the firm’s 33-page report. “As a result, an attacker can impersonate a Merlin@home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework.”
“The allegations are absolutely untrue,” St. Jude Medical chief technology officer Phil Ebeling said in an emailed statement. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.”
The accusations stem from a cybersecurity firm, Miami-based MedSec Holdings, that approached Muddy Waters after investigating St. Jude and 3 of its competitors. MedSec’s compensation for the research, however, it tied to Block’s short on STJ shares. And cybersecurity experts say there’s no economic rationale for the type of mass attack hypothesized in the Muddy Waters report.
“The lack of a clear business model for making money from hacking medical devices suggests that it’s unlikely we will see the types of mass attacks,” famed “white hat” medical device hacker Billy Rios told Bloomberg.
St. Jude questioned the validity of the report and defending the safety and security of its devices.
“We have examined the allegations made by Muddy Waters Capital and MedSec on August 25, 2016, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” St. Jude wrote in a prepared statement.
St. Jude reiterated that its remote monitoring is a “safe and effective means for patients to communicate with their physician,” and noted that remote monitoring has been documented in “leading publications” as a system that saves lives.
“At St. Jude Medical, we work with 3rd-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for our data and devices as part of our product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts. In addition, we collaborate with industry and governmental organizations to gain insight on recent trends and take appropriate action,” St. Jude wrote in a press release.
The company said that its Merlin@home units feature an automated remote upgrade process so that “security enhancements” are automatically installed when available.
“Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes. We want to reassure our patients that our systems meet the highest international security requirements, as required by regulatory authorities and international standards organizations,” St. Jude wrote in prepared remarks.
St. Jude denied the claims that the device’s battery could be depleted at 50-foot range, saying it would not be possible once the device is implanted into a patient, as it is limited to an approximate 7-foot range.
“This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients,” St. Jude wrote in a prepared release.
STJ shares were down -8.5% to $74.90 apiece as of about 12:40 Eastern today.
-
St. Jude Medical (STJ) Mentioned as Short at Muddy Waters
Aug 25, 2016 | StreetInsider
St. Jude Medical (NYSE: STJ) was mentioned cautiously by short seller Muddy Waters Research. The report suggests that close to half of STJ’s revenue could disappear for approximately two years as the company's pacemakers, ICDs, and CRTs should be recalled amid cyberattack risk.
"STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated. (These devices collectively were 46% of STJ’s 2015 revenue.)," said Muddy Waters. "Based on conversations with industry experts, we estimate remediation would take at least two years. Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients."
The report added, "We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users. Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks."
Shares of St. Jude are lower by about 2% on the session.
SI NOTE: St. Jude Medical, Inc (NYSE: STJ) is in a deal to be acquired by Abbott (NYSE: ABT). Under the agreement, St. Jude Medical shareholders will receive $46.75 in cash and 0.8708 shares of Abbott common stock.
-
Aug 26, 2016 | Benzinga
By Javier Hasse
U.S. stocks were mixed on Friday trading, with the S&P 500 and Dow indexes closing down, and the Nasdaq slightly up, as speculation around the timing of an interest rate hike mounted following comments from key Federal Reserve officials.
Shares of Herbalife Ltd. HLF 0.79% gained more than 4.1 percent in after-hours trading, after Carl Icahn revealed an additional stake in the stock. Benzinga had exclusively reported an announcement was imminent prior to the news. Seven minutes later, the famed investor disclosed a 2.3 million shares purchase made today, refuting Bill Ackman's earlier claims that he would sell. "I continue to believe in Herbalife," the statement said.
On the other hand, Westar Energy Inc WR 0.46% traded slightly down, after the company’s Board of Directors today a quarterly dividend of $0.38 per share, payable October 3 to shareholders of record as of September 9.
Also moving on a Benzinga article was St. Jude Medical, Inc. STJ 0.7%, which tumbled 0.17 percent since the bell rang, on the back of Muddy Waters comments. The research firm said the company missed out on the opportunity to take responsibility for its flawed devices. "This was a missed opportunity for St. Jude to take responsibility for their flawed devices. St. Jude's response shows that it appears to ignore the nature of the vulnerabilities and the attacks that we described in the report. It's statement offers false assurances that the devices are secure and we intend to publicly refute the company's desperate attempt to brush the issue aside once again. At the end of the day, the longer St. Jude fails to take responsibility for these issues, the greater the risk to their users,” the letter read.
Finally, there’s Amarin Corporation plc (ADR) AMRN 2.64%, which traded down 1.3 percent since the market closed after a subsidiary announced a mandatorily exchange of all of its 3.5 percent May 2014 Exchangeable Senior Notes due 2032 into American Depositary Shares (ADSs) of Amarin. Each ADS represents one ordinary share of Amarin, meaning the company will issue 384.6154 ADSs for each $1,000 principal amount of 2014 Notes.
-
Aug 29, 2016 | Seeking Alpha
By David Pinsen
After Carson Block's short call against St. Jude Medical, the FT's Lex column took the other side, saying Abbott's pending acquisition of St. Jude provided a cushion for longs.
Portfolio Armor's gauge of option market sentiment suggests that may not be the case. In most cases, stocks set to be acquired are extremely cheap to hedge.
That wasn't the case for St. Jude Medical on Friday, as we show here.
Hey Jude, don't make it bad - John Lennon and Paul McCartney
Lex Says Don't Have A Heart Attack If You're Long St. Jude
You know from Seeking Alpha news that Muddy Waters, the firm led by short seller Carson Block (pictured below), has claimed that St. Jude Medical's (NYSE:STJ) implantable cardiac devices are vulnerable to hackers, and that St. Jude has refuted that claim. So is St. Jude, the company named after the patron saint of lost causes, itself a lost cause? Over the weekend, the Financial Times' Lex column suggested otherwise (free to read with FT registration) --Muddy Waters-St Jude: heart attack.
After noting that only one stock Muddy Waters has shorted over the last three years is up in value since, Proofpoint, Inc (NASDAQ:PFPT), Lex argues that the deal for Abbott Labs (NYSE:ABT) to buy St. Jude makes it a tough short:
The main cushion, though, is that there is an agreed deal in place for Abbott Laboratories to buy St Jude for about $84 a share, or $24bn.
Such a deal would be difficult to unwind.
-
St. Jude Medical (STJ) Stock Lower, Refutes Allegations Made by Muddy Waters
Aug 30, 2016 | TheStreet
By Kaya Yurieff
Shares of St. Jude Medical (STJ) were down late Tuesday morning even as the company issued another statement in response to Carson Block's research firm Muddy Waters that it will lose more than half of its revenue because of device recalls.
Last week, Muddy Water revealed it is short the stock, saying that the company's pacemakers and defibrillators are easy targets for hackers.
"The allegations made by Muddy Waters and MedSec are irresponsible, misleading and unnecessarily frightening patients," St. Jude CEO Michael Rousseau said in a statement this morning.
"We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices. This behavior speaks volumes about the profit-seeking motives and integrity of these organizations," he added.
Yesterday, Muddy Waters and MedSec presented a video that demonstrated the Radio Frequency Telemetry Lockout security feature of the company's pacemakers, not a "crash" as they claimed, St. Jude added.
The video also confirms that the device's clinical functions are operating as expected under these conditions, according to the Saint Paul, MN-based company.
"The video clearly shows a security feature, not a flaw. The pacemaker is actually functioning as designed. If attacked, our pacemakers place themselves into a 'safe' mode to ensure the device continues to work, which further proves our commitment to safety and security," CTO Phil Ebeling said in a statement.
Separately, TheStreet Ratings Team has a "Buy" rating with a score of A- on the stock.
The company's strengths can be seen in multiple areas, such as its revenue growth, good cash flow from operations, solid stock price performance, expanding profit margins and notable return on equity.
The team believes its strengths outweigh the fact that the company has had sub par growth in net income.
Recently, TheStreet Ratings objectively rated this stock according to its "risk-adjusted" total return prospect over a 12-month investment horizon. Not based on the news in any given day, the rating may differ from Jim Cramer's view or that of this articles's author.
You can view the full analysis from the report here: STJ
National Coverage
Trade Coverage
Full Text of Stories Below
Add recipients
Suggested