(Reuters) - The U.S. Food and Drug Administration plans a “thorough investigation” of allegations about vulnerabilities in cardiac devices made by St. Jude Medical Inc, the agency’s official responsible for cyber security said on Thursday.
The FDA began its investigation in late August after short-selling firm Muddy Waters and cyber security firm MedSec Holdings Inc said they were betting St. Jude shares would fall, making allegations that its pacemakers and defibrillators have cyber security flaws that hackers could exploit to harm patients.
St. Jude responded by suing the companies, saying the allegations are defamatory and false.
“Regardless of the way a vulnerability comes to our attention, we take those allegations very, very seriously,” the FDA official, Suzanne Schwartz, said in a telephone interview. “We are putting all of our focus on making sure that we have an understanding of what these allegations are and do a thorough investigation of the claims.”
It was unprecedented for a cyber security researcher to publicize claims about cyber bugs as part of a short-selling strategy.
The approach also violated advice that the FDA issued in January in draft guidelines for dealing with cyber security vulnerabilities in medical devices. They urge researchers to work directly with manufacturers when they uncover suspected security bugs.
Schwartz said that vulnerabilities can typically be dealt with most efficiently when researchers work directly with manufacturers to address suspected problems. She said she hoped others would not follow the approach taken by Muddy Waters and MedSec.
Reporting by Jim Finkle in Miami; editing by Grant McCool