A flawed medical device, a troubling response
A case involving software vulnerabilities in medical electronics reveals the inability for both the health care sector and federal regulators to swiftly address cybersecurity problems.
The ticker and trading information for St. Jude Medical displayed on the floor of the New York Stock Exchange on April 28, 2016.
Brendan McDermid/Reuters
This past fall, an investment firm rattled the health care industry with unsubstantiated claims of multiple software vulnerabilities in internet-connected pacemakers and cardiac defibrillators.
But it took federal authorities who regulate medical devices four months to acknowledge only one of the alleged defects, and for the company, St. Jude Medical, to patch it.
The delayed response to a problem that could potentially put patients at risk raises many questions about why it took so long for the government to act, and what it will take for the health care industry to respond more swiftly to bugs in medical equipment increasingly connected to the internet.
"Software is never perfect and all systems still will have these flaws," says Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council and an expert on medical device security. "The question is how gracefully and collaboratively and quickly and safely can we respond to these flaws."
In this particular case,聽legal action聽as well as the unusual way the St. Jude vulnerabilities came to light聽may have stifled the response.听A cybersecurity firm called MedSec initially discovered the problems in the St. Jude devices and tipped off the activist investment firm聽Muddy Waters, which publicized the flaws and advised clients to聽bet against the health care firm's stock.听
As a result, St. Jude lodged a defamation lawsuit against MedSec and Muddy Waters, denying many of the alleged glitches in its pacemaker and implantable defibrillator systems.
"In theory, most disclosures now should take about 60 days to get to some clarity or resolution," said Corman. "In part, because of the contentious nature and the lawyers involved in this particular one, it took about five months."
Last week, the Food and Drug Administration along with the Department of Homeland Security confirmed at least some of MedSec's findings and聽reported a flaw聽in聽the St. Jude @Merlin transmitter, an at-home computer that sends data from cardiac implants to the patient's medical team.听The flaw could have allowed malicious聽hackers to remotely exhaust an implant's battery power or potentially harm the patient.听
St. Jude spokeswoman Candace Steele Flippin said in an emailed statement that following the release of Muddy Waters' claims in August, the device manufacturer "carefully reviewed the claims in these reports along with our existing plans for our cyber ecosystem," evaluated them with FDA, DHS, and outside security researchers, and then identified the improvements announced on Jan. 9 and noted further聽enhancements "we will be making in the coming months."
But Muddy Waters said the problems聽may take as long聽as two years to fix. Carson Block, the firm's founder, said this week the root causes of the vulnerabilities demand a change to firmware inside the St. Jude implants聽themselves.
The firm said in a statement, "these issues have just been given a quick fix by St. Jude with the government's blessing and cardiologists should go with other pacemaker manufacturers since they are much better on cybersecurity."
It's important to note that all the players in this medical legal drama, as well as the聽Veterans Affairs Department, which buys St. Jude devices,聽say there have been no reports of patient harm related to the cybersecurity vulnerabilities reported late August. In fact, the VA in recent months has continued paying for operations involving St. Jude 聽devices, according to contract documents.听
Ever since the US government and St. Jude confirmed the one flaw, the VA has been "taking steps to be sure all our patients and providers are aware of this issue and take appropriate actions to be sure that all our patients get the update for their monitor,鈥 said Merritt Raitt, acting director of the VA National Cardiac Device Surveillance Program.
The controversy could have been partly avoided, perhaps, if St. Jude and MedSec had followed new federal regulations for medical聽device security that encourage manufacturers to be more proactive about addressing potential聽vulnerabilities.听
A week before federal regulators publicized the one St. Jude glitch on Jan. 9, they announced the completion of a 2016 draft policy that might have yielded multiple fixes聽in two months聽without anyone resorting to public shaming or legal action.
On Jan. 4, DHS circulated the final聽for monitoring networked medical devices on the market that threaten manufacturers with penalties such as a recall unless they cooperate with bug hunters to patch vulnerabilities聽within 60 days.
Corman recommends that providers, including VA, heed all the literature that's been published on the St. Jude glitches, including a,,, and guidance聽, a cybersecurity consultancy Muddy Waters hired in response to the lawsuit.
"Just understand that the FDA and DHS do need to get the ground truth, that security researcher claims do need to be validated through the normal regulatory process," he says.
Editor's note: This story was updated after publication to clarify the timing of draft federal regulations for medical device security. An earlier version of the story also incorrectly attributed a quote regarding cybersecurity in St. Jude devices to a MedSec official.听