St. Jude releases cyber updates for heart devices after U.S. probe

(Reuters) - Abbott Laboratories ABT.N moved to protect patients with its St. Jude heart implants against possible cyber attacks, releasing a software patch on Monday that the firm said will reduce the "extremely low" chance of them being hacked.

The ticker and trading information for St. Jude Medical is displayed where the stock is traded on the floor of the New York Stock Exchange (NYSE) in New York City, U.S., April 28, 2016. REUTERS/Brendan McDermid/File Photo

The company disclosed the moves some five months after the U.S. government launched a probe into claims the devices were vulnerable to potentially life-threatening hacks that could cause implanted devices to pace at potentially dangerous rates or cause them to fail by draining their batteries..

The Food and Drug Administration and the Department of Homeland Security said that St. Jude’s software update addresses some, but not all, known cyber security problems in its heart devices.

The patch that Abbott began pushing out to patients on Monday addresses vulnerabilities that present the greatest risk to patients and prevent hackers from accessing the device, said FDA spokeswoman Angela Stark.

“The patch is intended to reduce the risk of unauthorized individuals exploiting the vulnerability and support patient safety,” she said. “The FDA has maintained this focus on addressing patient safety first and foremost throughout its investigation.”

A Department of Homeland Security spokesman said he had no immediate comment on the remaining problems.

St. Jude spokeswoman Candace Steele Flippin declined to identify specific problems, but said: “The cybersecurity landscape is evolving. St. Jude Medical has worked with, and continues to work with, the FDA and DHS to update and improve the security of our technology.”

MedSec Chief Executive Justine Bone said in a statement that “a multitude of severe vulnerabilities” were not fixed in the security update.

They include the ability to issue an unauthorized command to a cardiac implant from a device other than St. Jude’s Merlin@Home device, Bone said.

Monday marked the first time that the FDA and DHS had confirmed that St. Jude devices were vulnerable to hacking. They said they knew of no cyber attacks on patients with the company’s cardiac implants.

The FDA said that the benefits of continuing treatment outweighed cyber risks. DHS said only an attacker “with high skill” could exploit the vulnerability.

They launched the probe in August after short-selling firm Muddy Waters and cyber security firm MedSec Holdings said the devices were riddled with security flaws that made them vulnerable to potentially life-threatening hacks.

When Muddy Waters went public with the claims, it also disclosed it was shorting St. Jude Medical, which was preparing to sell itself to Abbott.

The short-selling firm said it believed that disclosure of the vulnerabilities could cause the $25 billion deal to fall apart, but Abbott last week completed its acquisition of St. Jude, one of the world’s biggest makers of implantable cardiac devices.

Muddy Waters founder Carson Block said he felt the release of the software patch “effectively vindicates” the research produced by his firm and MedSec.

As St. Jude announced the security patch, it declined comment on a lawsuit it filed against Muddy Waters and MedSec in September. It accused them of perpetrating a “willful and malicious scheme to manipulate the securities markets for their own financial windfall.”

MedSec said St. Jude has not dropped the lawsuit.

Abbott shares closed down 0.1 percent at $40.74. The S&P 500, by comparison, dipped 0.3 percent.

Reporting by Jim Finkle in Boston; editing by Jeffrey Benkoe, Bernard Orr