Cybersecurity firm stirs controversy in alleging medical device flaws

The firm MedSec went to an investment advisory firm instead of medical device maker St. Jude to disclose potential security vulnerabilities.

Ticker and trading information for St. Jude Medical displayed on the floor of the New York Stock Exchange.

Brendan McDermid/Reuters

August 26, 2016

In an apparent first, the investment firm Muddy Waters Capital on Thursday relied on cybersecurity research to recommend that investors bet against a major medical device maker's stock.

Muddy Waters issued a detailed litany of serious-sounding – but unconfirmed – flaws affecting a range of devices that St. Jude Medical Inc. manufactures. St. Jude said the flaws apparently uncovered by the cybersecurity firm MedSec were "absolutely untrue." Still, the company's stock price dipped 5 percent Thursday and was trading in negative territory Friday.

Regardless of the veracity of MedSec's findings, its decision to reveal research to investment advisors and not to St. Jude or Food and Drug Administration (FDA) regulators opens a new and uncertain chapter in the relationship between industry, investors, and security researchers.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

"I recognize that this is new territory," MedSec Chief Executive Officer Justine Bone told Passcode. But, she said, "conventional thinking" about how to report security holes in products didn’t seem promising in getting the issues addressed.

"We believed that St. Jude would not act responsibly and that could further delay mitigation. We believe the path we’ve taken is the fastest way to deliver that mitigation," Ms. Bone said.

Her company's research that revealed the apparent St. Jude flaws was part of an extensive study of medical device security. While that work surfaced security concerns across device makers, she said, the problems it found in St. Jude products were more numerous and serious.

"There was one manufacturer who was far behind in a wide range of areas, from application security to authentication to data encryption to antitamper protections. That manufacturer was St. Jude," she said.

Bone said MedSec was also wary of St. Jude’s reputation within the security industry. The company’s products have been the subjects of scrutiny before over security flaws. In 2014, the Department of Homeland security named St. Jude as selling devices that contained suspected vulnerabilities. 

Muddy Waters did not respond to multiple requests for comment.  

In response to the MedSec allegations and Muddy Waters report, St. Jude said in a statement from its chief technology officer Phil Ebeling that the company conducts "security assessments on an ongoing basis and work with external experts ... on all our devices."

But Bone contends the security flaws MedSec founds should have been obvious to St. Jude. "These findings are not rocket science," she said. "We know what the state of the art in security research is, and this isn’t that."

Still, many other cybersecurity experts have come out against the firm's tactics.

"I’m worried," said Joshua Corman, director of the Cyber Statecraft Initiative at The Atlantic Council and a cofounder of I Am The Cavalry, a group that fosters communication and interaction between security researchers and industry.

"This kind of act of disclosure enables adversaries to have a tactical advantage," he said. Unlike laptops or servers running Microsoft Windows, he said, St. Jude devices are implanted in patients and can’t easily be replaced.  

Beyond that, Corman said, MedSec's decision to work with an investment firm risks undermining already tenuous connections between the security researchers and the health care industry. 

"When you see something like this, it provokes an antibody response," Corman said. "It allows people to regress to fear that 'we have to lawyer up when see a researcher.' "

In recent years, the FDA has taken a more active role in pushing medical device makers to improve the security of their products. In January, it issued guidance to manufacturers for the management of cybersecurity in medical devices. In March, it issued a Safety Communication regarding vulnerabilities in some models of drug infusion pump sold by the firm Hospira.

Security experts contacted by Passcode agreed that there was far more work to be done by medical device makers, regulators, and the security community to ensure that products are secure by design and resistant to even determined attacks aimed at subverting the operation of the device.

"Standards for implementation practices in the industry ... would both reduce the likelihood of such vulnerabilities and provide firms with a way to defend themselves from assertions of weaknesses in their technologies," said Carl Landwehr, a research scientist at George Washington University and author of “Building Code for Medical Device Software Security.

Mr. Corman said the desire to push for change is understandable. But, he said, "I look at this as a war and not a battle. The tide is turning to more secure and defensible architecture, but in the meantime we're very exposed."