The Big Short: Alleged Security Flaws Fuel Bet Against St. Jude Medical

A firm
A firm’s report calling on investors to short St. Jude because of security flaws in its implantable medical devices is likely to reignite a firestorm of debate between security researchers and the medical community.

In-brief: The stock of medical device maker St. Jude plunged by 5% on Thursday after a report called for investors to bet against (or “short”) the company’s stock over serious security vulnerabilities in a range of the company’s implantable cardiac devices.

Call it The Big Short – or maybe just the medical device industry’s “Shot Heard Round The World”: a report from Muddy Waters Research recommends that its readers bet against (or “short”) St. Jude Medical after learning of serious security vulnerabilities in a range of the company’s implantable cardiac devices.

The Muddy Waters report on St. Jude’s set off a steep sell off in St. Jude Medical’s stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the “strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years” as a result of “product safety” issues stemming from remotely exploitable vulnerabilities in STJ’s pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude’s Merlin@home remote patient management platform, said Muddy Waters.

The firm cited research by MedSec Holdings Ltd. a cybersecurity research firm that identified the vulnerabilities in St. Jude’s ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed.

“Muddy Waters, which is short St. Jude, and Medsec believe the company’s cybersecurity precautions and standards are grossly inadequate compared with other leading manufacturers, and have led to a security situation significantly more worrying than prior medical device hacks that have been publicly discussed but unverified. The product safety issues presented in the report describe unnecessary health risks and should receive serious notice among hospitals, regulators, physicians and cardiac patients,” MedSec said in a statement.

“It seems like a high stakes game that people may live to regret.” – Joshua Corman, I Am The Cavalry

In an e-mail statement to Security Ledger, St. Jude’s Chief Technology Officer, Phil Ebeling, called the allegations “absolutely untrue.” “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@ home and on all our devices,” Ebeling said.

Muddy Waters said that it had been shown and recreated demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”). One was described as a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users.

Muddy Waters and its founder, Carson Black, said that while the St. Jude vulnerabilities weren’t the first to be discovered in implantable medical devices, his firm considered them more serious than previous discoveries by “orders of magnitude.” “These attacks take less skill, can be directed randomly at any STJ Cardiac Device within a roughly 50 foot radius, theoretically can be executed on a very large-scale, and most gallingly, are made possible by the hundreds of thousands of substandard home monitoring devices STJ has distributed,” Muddy Waters said in a statement. “The STJ ecosystem, which consists of Cardiac Devices, STJ’s network, physician office programmers, and home monitoring devices, has significant vulnerabilities. These vulnerabilities highly likely could be exploited for numerous other types of attacks.”

The report and resultant drop in St. Jude’s stock price is likely to stir an already bubbling pot in the medical device industry, which has struggled to come to grips with increasing scrutiny from both regulators and independent security researchers in recent years. [You can read Security Ledger’s coverage of medical device (in) security here.]

Contacted by Security Ledger, Dr. Kevin Fu, CEO of the firm Virta Labs and a faculty member at the University of Michigan’s Archimedes Center for Medical Device Research, noted in an email that the U.S. Food and Drug Administration (FDA) has posted instructions calling for “coordinated disclosure” of medical device flaws. Fu said he did not know if those guidelines were followed by MedSec prior to disclosure.

In an interview on Bloomberg, MedSec CEO Justine Bone said that no prior warning was given to St. Jude because the firm had not responded to earlier reports and fixed holes discovered by prior independent security researchers.

“St. Jude Medical stood out, far and away, as severely deficient in terms of security protections,” Bone said. “We were shocked.” St. Jude has a track history of “sweeping issues such as these under the carpet” that justified going around the vendor by disclosing its research to Block and Muddy Waters, she said.

“What we’re interested in achieving here is mitigations,” Bone said in response to questions . “Carson has a track history of holding large companies accountable. That’s why we’re partnering with Muddy Waters.”

Protocols aside, MedSec’s decision to disclose its findings to Muddy Waters and look to a market based mechanism to force change from St. Jude has re-ignited a smoldering debate about how and when information on security holes in critical systems should be disclosed.

“My phone’s been ringing off the hook,” said Joshua Corman of The Atlantic Institute and the founder of I Am The Cavalry, a group that has promoted close coordination between critical industries and the information security researcher community. “I think there are real fears that this is going to set things back and undermine the progress we’ve made.”

Corman notes that progress has been made in holding medical device makers accountable. The FDA, for example, has directed hospitals to stop using certain models of Hospira drug infusion pumps because of exploitable software holes that have been left unpatched – a first for the industry. Those warnings were echoed by the Department of Homeland Security’s Industrial Control System CERT.

Even companies that are very responsive to the work of security researchers must contend with an customer instal base full of legacy devices that lack adequate – or any- cyber security protections. Vulnerable systems running Windows XP are very common in clinical environments, Corman said, and it may take years for those systems to be replaced by updated and more secure versions of the same product.

He said that even without the technical details from MedSec, enough information may be gleaned from Muddy Waters 30 page report to reproduce the issues MedSec discovered. The disclosure of so much information on implanted devices that could cause direct harm to patients is deeply concerning.

“If safety was the goal then I think (MedSec’s) execution was poor. And if profit was the goal it may come at the cost of safety,” Corman said. “It seems like a high stakes game that people may live to regret.”

Spread the word!

3 Comments

  1. Pingback: Top CyberSecurity News For 26th August 2016 – Daily InfoSec: Making cybersecurity simple and accessible

  2. The business impact, such as what happened to St. Jude Medical today, is the topic of a panel at the Security of Things Forum on September 22 (www.securityofthings.com) The identification of vulnerabilities, response of companies, public affairs, regulatory fines and the value of companies are all part of the IoT equation.