Report on Cardiac Device Cyber Vulnerabilities Fuels DebateDid Investment Firm, 'Ethical Hacker' Take Appropriate Action?
Medical device cybersecurity is an important area of focus that needs a brighter spotlight. But a new report questioning the security of certain cardiac devices from St. Jude Medical Inc. raises some serious ethical issues about the whistleblowers.
The stock price of St. Jude Medical fell on Aug. 25 after short-seller Muddy Waters Capital said it had placed a bet that the device maker's shares would fall, according to Reuters and other media news outlets. Muddy Waters Capital claims that its bet was based on findings by a startup cybersecurity research firm, MedSec Holdings Inc., which entered a financial arrangement with the investment firm.
Muddy Waters Capital explained its rationale to short sell St. Jude Medical stock in an Aug 25 report. The report claimed MedSec found "key vulnerabilities" in St. Jude Medical implantable pacemaker and defibrillator devices that can "apparently be exploited by low-level hackers."
The investment firm writes in its report that the vulnerabilities found are a "magnitude more worrying than the medical device hacks that have been publicly discussed in the past." Further, the firm asserts that remediation by St. Jude Medical would take at least two years. "Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients," the report states.
While St. Jude Medical did not immediately respond to an Information Security Media Group inquiry about the MedSec/Muddy Waters claims, Reuters reports that the device maker, which announced in April plans to be acquired by Abbott Laboratories for $25 billion, said the allegations were false.
St. Jude Chief Technology Officer Philip Ebeling said there were several layers of security in place for its devices, Reuters reports. "We conduct security assessments on an ongoing basis and work with external experts specifically on ... all our devices," Ebeling said.
While the Muddy Waters Capital report puts a spotlight on potentially important cybersecurity issues concerning medical devices, the manner in which the research was released - by an investment company - and the financial arrangement between the company and the "ethical hacker" that found the vulnerabilities apparently is unprecedented, some industry experts say.
Typically, when independent researchers discover cybersecurity vulnerabilities in medical devices, they notify federal agencies, including the Food and Drug Administration or the Department of Homeland Security, as well as the affected manufacturers before disclosing the flaws.
"There needs to be respect for the process," says medical device cybersecurity expert Kevin Fu, founder and CEO of malware detection startup firm Virta Laboratories. "What if these problems affect other manufacturers' products as well?"
Independent medical device cybersecurity researcher Billy Rios says he generally reports findings about device vulnerabilities first to DHS.
"DHS typically conducts the coordination between the vendors and FDA. They are a great asset," Rios says. "With that said, the entire 'responsible disclosure' debate has been going on for decades. There are some great arguments for both sides of the debate. I would suggest device manufacturers accept that different researchers may take different approaches for how they disclose their research."
These approaches may not always have the best interest of the manufacturer in mind, Rios says. "The best approach for manufacturers here is not to try to control the researchers, but to focus on building robust security engineering processes within their organizations. A manufacturer's security strategy should not be based on the goodwill of strangers," he says.
In its report, Muddy Waters Capital admits that "while standard practice in the cybersecurity industry is to notify companies of vulnerabilities before discussing them publicly, MedSec licensed its research to Muddy Waters so that we could bring these issues to light, without revealing detailed vulnerability information."
The report also notes that the investment firm is providing the FDA and Department of Homeland Security "with a version of this report, and expects to facilitate dialogue between the agencies and MedSec."
Executives at Muddy Waters Capital did not immediately respond to ISMG's request for comment.
In a blog, MedSec CEO Justine Bone writes: "St. Jude Medical has stood out as lagging far behind. For years this company has continued to put patients at risk by profiting from the sale of devices and a device ecosystem which has little to no built-in security. We believe St Jude Medical has known about security problems in their products since at least 2013, but it is apparent from the lack of security protections or mechanisms in their product line that very little action has been taken.
"In order to help address patient safety, we have chosen to depart from standard cybersecurity operating procedures in order to bring this to the public's attention and to ensure that St. Jude Medical responds appropriately and with urgency. We have shared our research with an investment firm, Muddy Waters Capital, that is helping us deliver this message."
In a statement, the FDA tells ISMG it's "aware of the allegations and concerns raised in MedSec's public report, and we are working with the Department of Homeland Security to obtain more information from MedSec about the potential vulnerabilities identified in the report. At the present time, patients should continue to use their devices as instructed and not change any implanted device. FDA will provide updates as we learn more. In the interim, if a patient has a question or concern they should talk with their doctor."
Conflict of Interest?
Muddy Waters Capital acknowledges in its report that "MedSec is receiving compensation related to investment profits from the funds Muddy Waters manages." And that relationship muddies the water in terms of the research's credibility, Fu says.
"The report would be much stronger if the conflicts of interest were not so great," Fu says. "The researchers are directly remunerated [by Muddy Waters]. There are always shades of gray, but this is very dark. It's much harder to believe findings when the conflict of interest is that strong."
There are "hundreds of thousands of medical device cybersecurity vulnerabilities, but there are compensating controls to mitigate risk," Fu says. "This has to be looked through the lens of patient safety. The report raises important questions, but it's doing so in an unorthodox manner and is setting a dangerous precedent."
'Conflicted' Over the Conflict
Medical device cybersecurity expert Beau Woods, of grassroots safety group "I Am The Cavalry," notes that he's "conflicted" about the report.
"On the one hand, the attention could advance the cause of cyber safety; on the other, there's a clear disregard to patient safety by denying the FDA, device maker, healthcare organizations, and patients the capability to take preventive action," he says. "I'm more concerned about the impact to trust in the public health system than manufacturers' or hedge funds' bottom lines."
Still, Rios says there are some potential important safety benefits to come out of the release of the report, even if the manner in which it was issued raises questions.
"The issues reported by MedSec are more serious than the issues I reported in wireless infusion pumps," he says, referring to alerts that FDA and DHS issued in 2015 related to vulnerabilities Rios and another researcher discovered in products from Hospira.
"The issues are more serious because they involve implantable devices. While both sets of issues have the ability to hurt patients, the infusion pumps can be updated remotely, during maintenance windows with little/no impact to patient care. Updating the cardiac devices will likely require a patient procedure for which a doctor must be present. If these devices cannot be updated through the remote programmer, the patient will have to undergo a surgery in order to update the device."
Rios says St. Jude Medical needs to provide additional data related to these vulnerabilities. "Hopefully, they are conducting root cause analysis and impact analysis on the vulnerabilities," he says. "Transparency from St. Jude is key here. Once the impact is known, St. Jude should start coordinating outreach to hospitals, doctors, and to the appropriate regulatory bodies. If there are legitimate patient safety implications here, St. Jude needs to begin work on robust engineering fixes for the issues and start notification/coordination for update delivery."