SHORT-SIGHTED SHORT SALE? The big news in health IT Thursday occurred on Wall Street, where investor Muddy Waters announced that it was selling short shares of St. Jude Medical because of the lousy cybersecurity of the company’s medical devices. How lousy? Think “Homeland,” warmongering VPs with vulnerable pacemakers and the like.
The report by he investor and the security researcher MedSec said that pacemakers, defibrillators and other cardiac devices made by St. Jude Medical contained “grossly inadequate” cybersecurity compared to those of other leading manufacturers such as Medtronic. St. Jude Medical's stock ended the day around $78, a loss of five percent on the day, after what seems to have been the first activist investor attack over cyber concerns.
The move raised questions about just how bad St. Jude Medical’s security is when compared to the industry at large, and whether the action was fair—especially when MedSec CEO Justin Bone revealed that her company’s compensation from Muddy Waters was tied to the stock trade. Perhaps more importantly, though, it suggested that investors—and perhaps SEC action--could become another tool to force the health care sector to spend more energy (and money) on cybersecurity.
… First the critics:
— “My research tells me that if you look at the whole population of medical device makers, probably 80 percent of them would have similar problems,” said Mandeep Khera, chief marketing officer of Arxan Technologies. “Singling [St. Jude] out is not fair unless you publish a report that lists every single company.” Ethical practice requires security investigators to inform their targets of any problems and allow time for remediation before releasing findings, and it’s not clear MedSec did that, Khera notes. (St. Jude Medical called the report “absolutely false.”)
— Josh Corman, a “white hat” hacker who is a member of HHS’s Cybersecurity Task Force, found the report nerve-wracking. “Cybersecurity in the whole industry is terrible. This isn’t the only company with problems,” he said. “This will raise questions and awareness, which may be good, but it will also create an adversarial relationship. It could be overly worrisome to patients and serve as an advertisement to adversaries.” Medical device companies have shown a willingness recently to acknowledge security gaps, Corman said, but it will take years to fix them. “This is kicking them in the middle of a discussion,” he said.
… Other cybersecurity experts made the point that, whether over-the-top or not, the short sale could be a sign of things to come.
— Lisa Gallagher, who heads healthcare privacy and cybersecurity work at PwC, said she suspected that such inquiries are becoming "standard due diligence for investment firms, underwriters, analysts, etc."
— Jacob Olcott, vice president for security ratings firm BitSight, said the report and short-sale signal potential SEC intervention. That agency has five-year-old guidance that requires companies to disclose cybersecurity risks to their investors, and “any reasonable read of the guidance suggests that manufactured devices fall under the concept SEC laid out,” says Olcott, a former Senate legal counselor. The short, and the fallen stock price — if it stays down — suggest the belief that St. Jude Medical will have to recall devices, Olcott says. “What if there’s no capability to do a remote update of the device? What will FDA do? A recall was clearly the calculation of the investor who made the short.”
This could be new territory for the device industry …
Source :http://www.politico.com/
TAGS: muddy waters St. Jude Medical st jude
Out Of Topic Show Konversi KodeHide Konversi Kode Show EmoticonHide Emoticon