What's the Best Way to Handle Medical Device Security Concerns?Cybersecurity Expert Joshua Corman Analyzes St. Jude Medical Report
Cybersecurity expert Joshua Corman says the proper handling of disclosure of medical device vulnerabilities can help avoid jeopardizing patients' health. That's why he laments that the appropriate protocol apparently was not followed when security allegations about certain devices from St. Jude Medical, which the firm refutes, were made public.
"There needs to be shared responsibility between the bug finder, bug receiver and general public," says Corman, founder of I Am The Cavalry, a grassroots, not-for-profit cyber safety organization. "Whoever cares about public safety and human life should take great care to not inadvertently put them at risk."
In an in-depth interview with Information Security Media Group, Corman notes: "The general protocol with any bug disclosure is that you [first] try to tell the vendor. ... Failing that, if there's an impasse, or in parallel, you tell the Department of Homeland Security ... for safety critical bugs, and the FDA is the regulator of record here [for medical devices]."
But investment firm Muddy Waters Capital recently went public with allegations of security flaws in certain St. Jude Medical devices without first alerting the company.
The stock price of St. Jude Medical fell on Aug. 25 after the investment firm revealed it had placed a bet that the device maker's shares would fall, based on allegations about device vulnerabilities from cybersecurity research firm MedSec Holdings. The security firm had also taken the unusual step of entering a financial arrangement with Muddy Waters Capital.
Corman asserts the two companies that partnered to call attention to alleged security shortcomings in medical devices veered from the usual protocol of allowing DHS or FDA to review the allegations and then, if appropriate, issue an alert. "If this research is accurate and enables an adversary to have an advantage in ... attacking, [that] could be due to the way [the cybersecurity flaws were] communicated directly to the public through a financial scheme," he says.
"There seems like there may be mistakes on many people's parts in this circumstance. Disclosure is a tough topic and it's been going on for three decades - and there are a lot of strong opinions about it."
In recent years, he notes, multistakeholder conversations about medical device vulnerability disclosure best practices have included workshops by the U.S. Commerce Department's National Telecommunication and Information Administration.
"One of the things we like to tell people beyond the de facto best practices - which weren't followed here [in the Muddy Waters/MedSec case] - is that when it comes to public safety and human life issues, we need additional care," he says. "So, what may have made sense for disclosing a bug in a website or web browser that can be fixed quickly and has no loss of life, we may [instead] need very different levels of care in how we communicate something in a device that could lead to harm, or loss of life - and not be patchable at all."
St. Jude Medical continues to refute the MedSec and Muddy Waters Capital claims about security shortcomings in its implantable cardiac products, such as pacemakers, and related devices.
In an Aug. 30 statement, Michael Rousseau, St. Jude Medical president and CEO says: "The allegations made by Muddy Waters and MedSec are irresponsible, misleading and unnecessarily frightening patients. We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices. This behavior speaks volumes about the profit-seeking motives and integrity of these organizations."
Meanwhile, Muddy Waters Capital in an Aug. 29 statement says: "There are no changes to MedSec or our conclusions about the lack of security in the STJ device ecosystem, and our belief in the need for recall and remediation."
Among the key challenges in addressing cybersecurity vulnerabilities in medical devices is that many healthcare entities and patients are using devices that were developed decades ago, Corman notes.
"For many years, devices were implanted and passed through the FDA before there was any real enlightened guidance in real cybersecurity issues," he says.
In the interview, Corman also discusses:
- Today's cybersecurity landscape in the healthcare sector and the areas of greatest risk;
- How likely it is that malicious hackers would launch attacks on medical devices to cause patients harm;
- Important steps that the healthcare sector can take to improve the cybersecurity of medical devices, including implementing a "Hippocratic oath" for medical devices.
In addition to his role as founder of I Am The Cavalry, Corman is the director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center of International Security. He is also a member of the Department of Health and Human Services' 2016 Cybersecurity Task Force. Corman formerly served as chief technology officer for Sonatype, director of security intelligence for Akamai, and in senior research and strategy roles for The 451 Group and IBM Internet Security Systems. He serves on the adjunct faculty at Carnegie Mellon's Heinz College.