[August 26, 2016] |
|
St. Jude Medical Refutes Muddy Waters Device Security Allegations and Reinforces Security of Devices and Commitment to Patient Safety
St. Jude Medical, Inc. (NYSE:STJ), a global medical device company,
today issued the following statement: We have examined the allegations
made by Capital and MedSec on August 25, 2016 regarding the safety and
security of our pacemakers and defibrillators, and while we would have
preferred the opportunity to review a detailed account of the
information, based on available information, we conclude that the report
is false and misleading. Our top priority is to reassure our patients,
caregivers and physicians that our devices are secure and to ensure
ongoing access to the proven clinical benefits of remote monitoring. St.
Jude Medical stands behind the security and safety of our devices as
confirmed by independent third parties and supported through our
regulatory submissions.
Remote monitoring is a safe and effective means for patients to
communicate with their physician. It has been well documented in leading
publications that remote monitoring saves lives. At St. Jude Medical, we
work with third-party experts, researchers, government agencies and
regulators in cybersecurity to develop appropriate safeguards for our
data and devices as part of our product development process and life
cycle. These experts assist in designing security controls from the
early stages of product design through final release and ongoing product
enhancements, including software updates and security patches for our
products. We also conduct regular risk assessments based on FDA guidance
and perform penetration tests using internal and external experts. In
addition, we collaborate with industry and governmental organizations to
gain insight on recent trends and take appropriate action.
Our system provides an automated remote upgrade process for all
Merlin@home units that are in active use so that security enhancements
are automatically deployed when they become available. Merlin@home units
that are not in active use and connected to the internet will also be
upgraded when they return to use if a new update is available. Our
analysis concluded that the majority of the observations in the report
apply to older versions of the Merlin@home™ devices (i.e., those that
have not been updated through the automated remote upgrade process). We
are confident in the technology that we provide and in our process for
continuously building upon our security protocols and processes. We want
to reassure our patients that our systems meet the highest international
security requirements, as required by regulatory authorities and
international standards organizations.
Claims of remote battery depletion are misleading
The report claimed that the battery could be depleted at a 50-foot
range. This is not possible since once the device is implanted into a
patient, wireless communication has an approximate 7-foot range. This
brings into question the entire testing methodology that has been used
as the basis for the Muddy Waters Capital and MedSec report. In
addition, in the described scenario it would require hundreds of hours
of continuous and sustained "pings" within this distance. To put it
plainly, a patient would need to remain immobile for days on end and the
hacker would need to be within seven feet of the patient. In the
unlikely instance that was to occur, the implanted devices are designed
to provide a vibratory patient alert if the battery dips below a certain
threshold to protect and notify patients.
The flawed test methodology on outdated software demonstrates
fundamental lack of understanding of medical device technology
The report claimed that the system could be impaired, similar to when a
computer system "crashes." The report has little detail on this
simulation and includes many inconsistencies. In fact, the screenshot of
the Merlin programmer in the Muddy Water report shows a device that is
functioning normally. The rd items on the screen are highlighting the
fact that there are no leads connected to the device. The device is
pacing properly, at the programmed 40bpm. The screenshot shows expected
behavior from the SecureSense algorithm when device is pacing without
any connected leads.
St. Jude Medical will remain ever vigilant and dedicated to patient
safety
Our software has been evaluated and assessed by several independent
organizations and researchers including Deloitte (News - Alert) and Optiv. In addition,
Merlin.net was Safe Harbor certified by St. Jude Internal Audit in 2013
and annually since then. This includes an annual audit of key security
controls within the Merlin.net environment and Merlin.net has received
ISO 27001 certification since 2009. This includes an internal audit of
security controls and an independent certification by a third party,
BSI. In 2015, we successfully completed an upgrade to the ISO 27001:2013
certification.
Muddy Waters also makes numerous unsubstantiated statements that are
speculative with no evidence shown to prove the claims such as an
ability to impersonate any SJM device, reverse engineering to create a
pocket-size programmer, and a large-scale attack through the Merlin
network. However, we are not aware of such threats and will remain
vigilant to the ever-increasing sophistication of those seeking access
to devices/data and address any issues based on additional detail
provided.
We recognize the importance of providing physicians with up-to-date and
accurate information in a timely and responsible manner so that they can
make informed patient care decisions. Our analysis reinforces the need
for researchers and manufactures to work together to discuss and resolve
potential issues together to avoid unnecessarily alarming patients.
St. Jude Medical is a strong supporter of responsible disclosure and
proactively works with industry groups like NH-ISAC and ICS-CERT
We encourage anyone with product security questions to contact us at [email protected].
We ask anyone with an a potential cybersecurity vulnerability in a St.
Jude Medical product to contact us at [email protected]
for further inspection and analysis to best ensure we are able to
validate and communicate information in the interest of patient safety.
Patient safety has always been our top priority and we have every reason
to believe our devices are safe. Because we recognize cybersecurity is a
concern for patients, it is also a priority for St. Jude Medical. We
have a dedicated resource on sjm.com reinforcing our commitment to
product and information security on our website.
About the Impact of the St. Jude Medical Remote Monitoring Portfolio
The St. Jude Medical Merlin.net Patient Care Network (PCN) is an award
winning Radio frequency (RF) remote monitoring system designed to
improve outcomes for patients with pacemakers, implantable cardioverter
defibrillators (ICDs) and cardiac resynchronization defibrillators
(CRT-Ds). With rapid access to their patient's information through the
secure Merlin.net PCN website, physicians can remotely monitor and
assess patient device data and determine interventions needed. Recent
research has shown that remote monitoring can improve patient survival
while reducing hospitalizations and health care utilization.
In 2008, St. Jude Medical improved upon the exceptional security of the
Merlin.net PCN by introducing the Merlin@home™ transmitter, which allows
efficient remote care management and additional options for physicians
to provide early intervention and improve health care efficiency. The
data transferred by Merlin@home are fully encrypted and meet or exceed
all applicable national data privacy and security requirements in all
countries where the Merlin.net PCN is used. In addition, the Merlin.net
PCN was the first cardiac device monitoring system to be awarded ISO/IEC (News - Alert)
27001:2005 certification, a stringent worldwide information security
standard, and our certification is audited, updated and current.
Remote monitoring of cardiac patients has become a best-practice over
the past decade. In 2016, the Heart Rhythm Society has made remote
monitoring the standard of care in its recent guidelines. St. Jude
Medical has pioneered this life-saving capability with our RF Merlin.net
Patient Care Network (PCN) and the Merlin@Home patient system. Dozens of
studies continue to prove the positive impact on patient outcomes, and
the reduction of healthcare costs.
Patients with questions about remote care from St. Jude Medical can call
Remote Care Services at 1-877-MY MERLIN (1-877-696-3754).
About St. Jude Medical
St. Jude Medical is a leading global medical device manufacturer and is
dedicated to transforming the treatment of some of the world's most
expensive epidemic diseases. The company does this by developing
cost-effective medical technologies that save and improve lives of
patients around the world. Headquartered in St. Paul, Minn., St. Jude
Medical employs approximately 18,000 people worldwide and has five major
areas of focus that include heart failure, atrial fibrillation,
neuromodulation, traditional cardiac rhythm management and
cardiovascular. For more information, please visit sjm.com
or follow us on Twitter (News - Alert) @SJM_Media.
Forward-Looking Statements
This news release contains forward-looking statements within the meaning
of the Private Securities Litigation Reform Act of 1995 that involve
risks and uncertainties. Such forward-looking statements include the
expectations, plans and prospects for the company, including potential
clinical successes, reimbursement strategies, anticipated regulatory
approvals and future product launches, and projected revenues, margins,
earnings and market shares. The statements made by the company are based
upon management's current expectations and are subject to certain risks
and uncertainties that could cause actual results to differ materially
from those described in the forward-looking statements. These risks and
uncertainties include market conditions and other factors beyond the
company's control and the risk factors and other cautionary statements
described in the company's filings with the SEC (News - Alert), including those
described in the Risk Factors and Cautionary Statements sections of the
company's Annual Report on Form 10-K for the fiscal year ended January
2, 2016 and Quarterly Report on Form 10-Q for the fiscal quarter ended
July 2, 2016. The company does not intend to update these statements and
undertakes no duty to any person to provide any such update under any
circumstance.
View source version on businesswire.com: http://www.businesswire.com/news/home/20160826005729/en/
[ Back To Mobile World Congress's Homepage ]
|