Cybersecurity firm stirs controversy in alleging medical device flaws
In an apparent first, the investment firm Muddy Waters Capital听on Thursday听relied on cybersecurity research听to recommend that investors bet against听a major medical device maker's stock.
Muddy Waters issued听听of serious-sounding 鈥 but unconfirmed 鈥 flaws affecting a range of devices that St. Jude Medical Inc. manufactures.听St. Jude said听the flaws apparently uncovered by the cybersecurity firm MedSec were "absolutely untrue."听Still, the company's听stock听price dipped听5 percent听Thursday听and was trading in negative territory听Friday.
Regardless听of the听veracity of MedSec's findings, its decision听to reveal research听to investment advisors and not听to听St. Jude听or Food and Drug Administration (FDA) regulators opens a new and uncertain chapter in the relationship between industry, investors, and security researchers.
"I recognize that this is new territory,"听MedSec Chief Executive Officer Justine Bone told Passcode. But, she said,听"conventional thinking" about how to report security holes in products didn鈥檛 seem promising in getting the issues addressed.
"We believed that St. Jude would not act responsibly and that could further delay mitigation. We believe the path we鈥檝e taken is the fastest way to deliver that mitigation," Ms. Bone said.
Her company's research听that revealed the apparent St. Jude flaws was听part of an extensive study of medical device security. While that work surfaced security concerns across听device makers, she said, the problems it found in St. Jude products were more听numerous and serious.
"There was one manufacturer who was far behind in a wide range of areas, from application security to authentication to data encryption to antitamper protections. That manufacturer was听St. Jude," she said.
Bone said MedSec was also wary of St. Jude鈥檚 reputation within the security industry. The company鈥檚 products have been the subjects of scrutiny before over security flaws. In 2014, the Department of Homeland security named St. Jude as selling devices that听听
Muddy Waters did not respond to multiple requests for comment.听听
In response to the MedSec allegations and Muddy Waters report, St. Jude said in a statement from its chief technology officer听Phil Ebeling that the company conducts "security assessments on an ongoing basis and work with external experts ... on all our devices."
But Bone contends the security flaws MedSec founds should have been obvious to St. Jude. "These findings are not rocket science," she said. "We know what the state of the art in security research is, and this isn鈥檛 that."
Still, many other cybersecurity experts have come out against the firm's tactics.
"I鈥檓 worried," said Joshua Corman, director of the Cyber Statecraft Initiative at The Atlantic Council and a cofounder of I Am The Cavalry, a group that fosters communication and interaction between security researchers and industry.
"This kind of act of disclosure enables adversaries to have a tactical advantage," he said. Unlike laptops or servers running Microsoft Windows, he said, St. Jude devices are implanted in patients and can鈥檛 easily be replaced.听听
Beyond that, Corman said,听MedSec's听decision to work with an investment firm risks undermining already tenuous connections between the security researchers and the health care industry.听
"When you see something like this, it provokes an antibody response," Corman said. "It allows people to regress to fear that 'we have to lawyer up when see a researcher.' "
In recent years, the FDA has taken a more active role in pushing medical device makers to improve the security听of their products. In January, it听听to manufacturers for the management of cybersecurity in medical devices.听In March, it issued a听听regarding vulnerabilities in some models of drug infusion pump sold by the firm Hospira.
Security experts contacted by Passcode agreed that there was far more work to be done by medical device makers, regulators, and the security community to ensure that products are secure by design and resistant to even determined attacks aimed at subverting the operation of the device.
"Standards for implementation practices in the industry ... would both reduce the likelihood of such vulnerabilities and provide firms with a way to defend themselves from assertions of weaknesses in their technologies," said听Carl Landwehr, a research scientist at George Washington University and author of 鈥淏uilding Code for Medical Device Software Security.
Mr. Corman said the desire to push for change is understandable. But, he said, "I look at this as a war and not a battle. The tide is turning to more secure and defensible architecture, but in the meantime we're very exposed."
听
