Modern field guide to security and privacy

Cybersecurity firm stirs controversy in alleging medical device flaws

The firm MedSec went to an investment advisory firm instead of medical device maker St. Jude to disclose potential security vulnerabilities.

|
Brendan McDermid/Reuters
Ticker and trading information for St. Jude Medical displayed on the floor of the New York Stock Exchange.

In an apparent first, the investment firm Muddy Waters Capital on Thursday relied on cybersecurity research to recommend that investors bet against a major medical device maker's stock.

Muddy Waters issued a detailed litany of serious-sounding – but unconfirmed – flaws affecting a range of devices that St. Jude Medical Inc. manufactures. St. Jude said the flaws apparently uncovered by the cybersecurity firm MedSec were "absolutely untrue." Still, the company's stock price dipped 5 percent Thursday and was trading in negative territory Friday.

Regardless of the veracity of MedSec's findings, its decision to reveal research to investment advisors and not to St. Jude or Food and Drug Administration (FDA) regulators opens a new and uncertain chapter in the relationship between industry, investors, and security researchers.

"I recognize that this is new territory," MedSec Chief Executive Officer Justine Bone told Passcode. But, she said, "conventional thinking" about how to report security holes in products didn’t seem promising in getting the issues addressed.

"We believed that St. Jude would not act responsibly and that could further delay mitigation. We believe the path we’ve taken is the fastest way to deliver that mitigation," Ms. Bone said.

Her company's research that revealed the apparent St. Jude flaws was part of an extensive study of medical device security. While that work surfaced security concerns across device makers, she said, the problems it found in St. Jude products were more numerous and serious.

"There was one manufacturer who was far behind in a wide range of areas, from application security to authentication to data encryption to antitamper protections. That manufacturer was St. Jude," she said.

Bone said MedSec was also wary of St. Jude’s reputation within the security industry. The company’s products have been the subjects of scrutiny before over security flaws. In 2014, the Department of Homeland security named St. Jude as selling devices that contained suspected vulnerabilities. 

Muddy Waters did not respond to multiple requests for comment.  

In response to the MedSec allegations and Muddy Waters report, St. Jude said in a statement from its chief technology officer Phil Ebeling that the company conducts "security assessments on an ongoing basis and work with external experts ... on all our devices."

But Bone contends the security flaws MedSec founds should have been obvious to St. Jude. "These findings are not rocket science," she said. "We know what the state of the art in security research is, and this isn’t that."

Still, many other cybersecurity experts have come out against the firm's tactics.

"I’m worried," said Joshua Corman, director of the Cyber Statecraft Initiative at The Atlantic Council and a cofounder of I Am The Cavalry, a group that fosters communication and interaction between security researchers and industry.

"This kind of act of disclosure enables adversaries to have a tactical advantage," he said. Unlike laptops or servers running Microsoft Windows, he said, St. Jude devices are implanted in patients and can’t easily be replaced.  

Beyond that, Corman said, MedSec's decision to work with an investment firm risks undermining already tenuous connections between the security researchers and the health care industry. 

"When you see something like this, it provokes an antibody response," Corman said. "It allows people to regress to fear that 'we have to lawyer up when see a researcher.' "

In recent years, the FDA has taken a more active role in pushing medical device makers to improve the security of their products. In January, it issued guidance to manufacturers for the management of cybersecurity in medical devices. In March, it issued a Safety Communication regarding vulnerabilities in some models of drug infusion pump sold by the firm Hospira.

Security experts contacted by Passcode agreed that there was far more work to be done by medical device makers, regulators, and the security community to ensure that products are secure by design and resistant to even determined attacks aimed at subverting the operation of the device.

"Standards for implementation practices in the industry ... would both reduce the likelihood of such vulnerabilities and provide firms with a way to defend themselves from assertions of weaknesses in their technologies," said Carl Landwehr, a research scientist at George Washington University and author of “Building Code for Medical Device Software Security.

Mr. Corman said the desire to push for change is understandable. But, he said, "I look at this as a war and not a battle. The tide is turning to more secure and defensible architecture, but in the meantime we're very exposed."

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Cybersecurity firm stirs controversy in alleging medical device flaws
Read this article in
https://www.csmonitor.com/World/Passcode/2016/0826/Cybersecurity-firm-stirs-controversy-in-alleging-medical-device-flaws
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe