St. Jude Medical, a global medical device company, issued the following statement:
Patients are our highest priority. St. Jude Medical takes our commitment to patients very seriously because we understand that the 20,000 patients around the world who receive our lifesaving and life improving therapies –– every business day –– count on us to always put them first. And we do.
“The allegations made by Muddy Waters and MedSec are irresponsible, misleading and unnecessarily frightening patients,” said Michael T. Rousseau President and chief executive officer at St. Jude Medical.
“We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices. This behavior speaks volumes about the profit-seeking motives and integrity of these organizations.”
Further demonstrating their fundamental lack of understanding of St. Jude Medical’s medical device technology, Muddy Waters Capital and MedSec presented a video yesterday that actually demonstrated the Radio Frequency (RF) Telemetry Lockout security feature of our pacemakers – not a “crash” as they claimed.
The video also confirms that the device’s clinical functions are operating as expected under these conditions.
“The video clearly shows a security feature, not a flaw. The pacemaker is actually functioning as designed. If attacked, our pacemakers place themselves into a “safe” mode to ensure the device continues to work, which further proves our commitment to safety and security,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.
We have safeguards in place to mitigate so-called “crash attacks”
St. Jude Medical devices are designed to go into a life-sustaining “safe” mode, as a safeguard, if unexpected conditions are detected.
These safeguards will put the device into safe mode where the preprogrammed pacing and defibrillation functions of the implantable medical devices revert to safe settings. In addition, some of our devices, by design, disable further RF communications for a period of time, which may appear to the untrained eye as having rendered the device disabled, although it continues to function.
As part of our commitment to continuous investment in our technology, St. Jude Medical devices have built-in measures to reduce the risk of unauthorized commands being issued to our implantable devices.
In addition we have an ongoing focus to continually strengthen our security systems in the ever changing cybersecurity environment. For example:
Access controls help protect the Merlin@home™ operating system from unauthorized access
The lack of built-in programming commands in Merlin@home help ensure that therapy is provided through the implanted device only at the direction of the physician
Proprietary implantable medical device protocols protect communications with the implantable device
Encryption of session authentication between the implantable medical device and Merlin@home further enhances device security
The limited Medical Implant Communication Services (MICS) wireless range restricts accessibility of communications with the implantable device
“Patient safety is and has always been our top priority,” said Mark Carlson, M.D., vice president and chief medical officer at St. Jude Medical.
“Our devices are safe and we have taken and continue to take appropriate steps to address the dynamic challenges of cyber security. We do this because it is the responsible thing to do for the patients and physicians who rely on our devices.”