For obvious reasons, privacy and security concerns are of paramount importance when it comes to connected medical devices, and one medical device manufacturer, St. Jude Medical, is learning that potential problems with connected devices can be more than just a PR headache.
On Thursday, investment firm Muddy Waters Capital published a research report claiming that a security flaw in St. Jude’s Merlin@home device contained a security vulnerability that could potentially leave individuals with those implanted devices at risk to remote cyber attackers.
In the report, Muddy Waters’ Carson Block suggested that patients using potentially vulnerable devices should disable connectivity for their implanted devices and that St. Jude should issue a recall.
Since nearly half of St. Jude’s revenue comes from the allegedly affected devices, Block argued in his report that St. Jude could see its revenue plummet over the next two years, the length of time he believes it would take for the company to fix the problem and handle a recall.
Not surprisingly, shares of St. Jude stock dropped, and trading in them was temporarily halted.
The company’s share price recovered after it issued a statement disputing Muddy Waters’ claims, calling them “false and misleading,” but the Food and Drug Administration (FDA) confirmed Friday that it will be looking into the matter with the Department of Homeland Security.
More than just a PR problem
One of Muddy Waters’ claims, that St. Jude’s implanted pacemakers could have their batteries drained by a remote attacker 50 feet away, is for obvious reasons concerning.
St. Jude says that such claims are meritless, noting that its implanted devices only have a wireless range of seven feet after they are implanted.
University of Michigan researchers who have tried to exploit the vulnerabilities claimed by Muddy Waters said the “evidence does not support [Muddy Waters’] conclusions.”
But Muddy Waters counters that in the name of responsible disclosure, it did not release all of the details of the vulnerabilities.
Two of St. Jude’s pacemaker products
Needless to say, it’s far too early to make a judgment here and, ultimately, the FDA’s investigation will establish whether the claims leveled by Muddy Waters are legitimate.
If they are, they could threaten the pending $25bn acquisition of St. Jude by Abbott Laboratories, so the stakes are high.
Whatever the final outcome, the situation is a wake-up call to companies manufacturing connected medical devices.
That’s because, as detailed by Bloomberg’s Jordan Robertson and Michael Riley, the Muddy Waters vs. St. Jude battle “reveals a new front in hacking for profit.”
Muddy Waters didn’t identify potential vulnerabilities in St. Jude’s devices.
They were discovered by MedSec, a cybersecurity startup, which approached the investment firm and proposed a partnership in which MedSec would give its evidence to Muddy Waters and share in the profits if Muddy Waters was able to drive St. Jude’s share price down.
As Robertson and Riley note, “bringing this kind of information to an investment firm is highly unorthodox.”
Typically, security researchers make money by bringing vulnerabilities to the attention of the companies responsible for them in exchange for monetary compensation and/or public recognition.
Alternatively, unscrupulous researchers sell the vulnerabilities they find on the black market.
MedSec’s CEO, Justine Bone, said that:
As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts.
So she decided not to bring the issue to St. Jude’s attention.
We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing.
We partnered with Muddy Waters because they have a great history of holding large corporations accountable.
While MedSec’s decision is sparking debate over the ethics of security researchers, the message to companies that are involved with connected devices involving health and medicine is clear: Privacy and security must be top of mind as they have the potential to cause real wounds, not just PR scrapes.
Interests with sophisticated tools, big bank accounts and media megaphones are increasingly going to be looking for problems, and when they think they find them, they’re going to look to inflict damage, even if it’s in the name of accountability.