It sounds like something out of a movie plot.
The computer genius sits in a dark room illuminated only by the glow of a computer monitor. His fingers fly across a keyboard, writing code for an unknown reason. He sits back once his program is complete and inspects his handiwork. It’s a work of art. As he clicks his mouse to upload the code into the ether, he sighs and smiles.
Moments later, people around the world start dropping dead, seemingly at random. Days later, news reports inform a panicked public that someone has figured out how to hack implanted heart defibrillators. Once programmed only to shock a heart that was out of rhythm, the devices now shock at random; or not at all.
It’s a nightmare scenario; both for patients and for those that are invested in the companies that manufacture this life-saving technology.
Unless, of course, you’re shorting the stock.
Shorting a stock means that you’ve bet against it. Rather than making money when a company performs well, an investor that has shorted a stock makes money when a company performs poorly. And just before releasing a report alleging that St. Jude Medical heart defibrillators were vulnerable to hacking, a company called MedSec, along with a hedge fund manager known as Muddy Waters Capital, shorted St. Jude stock.
Over the next two days, the company’s value dropped over seven percent, resulting in a “financial windfall” for MedSec and Muddy Waters.
St. Jude Medical sued the two entities and accused them of trying to scare patients with unsubstantiated claims and “junk science.” And, rather than backing down, MedSec reiterated and reinforced its claims by presenting a study on the devices conducted by a Phoenix-based cybersecurity expert.
While no one is suggesting the apocalyptic scenario described above, the idea of someone other than a cardiologist having access to a device implanted next to your heart is enough to give anyone pause. And, for its part, the FDA is reviewing MedSec’s claims but has not yet taken any action against the company, nor has it made any formal recommendations. Any concerns you might have about your defibrillator are still strictly a matter for your doctor, and not a federal agency.
St. Jude Medical is not without its problems as of late, as the company is facing a barrage of criticism and an FDA warning over rapidly depleting batteries in these same types of heart defibrillators. And, as with any device capable of connecting wirelessly to other devices – especially in the era of the Internet of Things – there are always security concerns over the code that powers those devices and the ability of others to access and manipulate that code.
The jury is still out, however, on whether St. Jude Medical’s hacking saga will remain in the realm of science fiction.