Cybersecurity firm stirs controversy in alleging medical device flaws
The firm MedSec went to an investment advisory firm instead of medical device maker St. Jude to disclose potential security vulnerabilities.
Ticker and trading information for St. Jude Medical displayed on the floor of the New York Stock Exchange.
Brendan McDermid/Reuters
In an apparent first, the investment firm Muddy Waters CapitalÌýon ThursdayÌýrelied on cybersecurity researchÌýto recommend that investors bet againstÌýa major medical device maker's stock.
Muddy Waters issuedÌýÌýof serious-sounding – but unconfirmed – flaws affecting a range of devices that St. Jude Medical Inc. manufactures.ÌýSt. Jude saidÌýthe flaws apparently uncovered by the cybersecurity firm MedSec were "absolutely untrue."ÌýStill, the company'sÌýstockÌýprice dippedÌý5 percentÌýThursdayÌýand was trading in negative territoryÌýFriday.
RegardlessÌýof theÌýveracity of MedSec's findings, its decisionÌýto reveal researchÌýto investment advisors and notÌýtoÌýSt. JudeÌýor Food and Drug Administration (FDA) regulators opens a new and uncertain chapter in the relationship between industry, investors, and security researchers.
"I recognize that this is new territory,"ÌýMedSec Chief Executive Officer Justine Bone told Passcode. But, she said,Ìý"conventional thinking" about how to report security holes in products didn’t seem promising in getting the issues addressed.
"We believed that St. Jude would not act responsibly and that could further delay mitigation. We believe the path we’ve taken is the fastest way to deliver that mitigation," Ms. Bone said.
Her company's researchÌýthat revealed the apparent St. Jude flaws wasÌýpart of an extensive study of medical device security. While that work surfaced security concerns acrossÌýdevice makers, she said, the problems it found in St. Jude products were moreÌýnumerous and serious.
"There was one manufacturer who was far behind in a wide range of areas, from application security to authentication to data encryption to antitamper protections. That manufacturer wasÌýSt. Jude," she said.
Bone said MedSec was also wary of St. Jude’s reputation within the security industry. The company’s products have been the subjects of scrutiny before over security flaws. In 2014, the Department of Homeland security named St. Jude as selling devices thatÌýÌý
Muddy Waters did not respond to multiple requests for comment.ÌýÌý
In response to the MedSec allegations and Muddy Waters report, St. Jude said in a statement from its chief technology officerÌýPhil Ebeling that the company conducts "security assessments on an ongoing basis and work with external experts ... on all our devices."
But Bone contends the security flaws MedSec founds should have been obvious to St. Jude. "These findings are not rocket science," she said. "We know what the state of the art in security research is, and this isn’t that."
Still, many other cybersecurity experts have come out against the firm's tactics.
"I’m worried," said Joshua Corman, director of the Cyber Statecraft Initiative at The Atlantic Council and a cofounder of I Am The Cavalry, a group that fosters communication and interaction between security researchers and industry.
"This kind of act of disclosure enables adversaries to have a tactical advantage," he said. Unlike laptops or servers running Microsoft Windows, he said, St. Jude devices are implanted in patients and can’t easily be replaced.ÌýÌý
Beyond that, Corman said,ÌýMedSec'sÌýdecision to work with an investment firm risks undermining already tenuous connections between the security researchers and the health care industry.Ìý
"When you see something like this, it provokes an antibody response," Corman said. "It allows people to regress to fear that 'we have to lawyer up when see a researcher.' "
In recent years, the FDA has taken a more active role in pushing medical device makers to improve the securityÌýof their products. In January, itÌýÌýto manufacturers for the management of cybersecurity in medical devices.ÌýIn March, it issued aÌýÌýregarding vulnerabilities in some models of drug infusion pump sold by the firm Hospira.
Security experts contacted by Passcode agreed that there was far more work to be done by medical device makers, regulators, and the security community to ensure that products are secure by design and resistant to even determined attacks aimed at subverting the operation of the device.
"Standards for implementation practices in the industry ... would both reduce the likelihood of such vulnerabilities and provide firms with a way to defend themselves from assertions of weaknesses in their technologies," saidÌýCarl Landwehr, a research scientist at George Washington University and author of “Building Code for Medical Device Software Security.
Mr. Corman said the desire to push for change is understandable. But, he said, "I look at this as a war and not a battle. The tide is turning to more secure and defensible architecture, but in the meantime we're very exposed."
Ìý