Video on Alleged Medical Device Flaws Stirs ControversyTactics of Investment Firm, Researchers in Attacking St. Jude Medical Questioned
Story has been updated to include FDA response.
See Also: Top 50 Security Threats
Investment firm Muddy Waters Capital and security research start-up MedSec Holdings are again stirring up controversy, this time by releasing a video spotlighting more alleged cybersecurity flaws in St. Jude Medical cardiac devices.
Back in August, the investment firm issued a report saying it was placing a short-sell bet that St. Jude Medical's stock price would fall based on the findings by startup cybersecurity research firm MedSec of "key vulnerabilities" in the manufacturer's implantable pacemaker and defibrillator devices that can allegedly be exploited by low-level hackers.
The video released on Oct. 19 on a new Muddy Waters website, ProfitsOverPatient.com, invites the public to "come ... for updates to our defense against St. Jude Medical's attempt to sweep revelations about its extremely poor cybersecurity under the rug through a lawsuit."
St. Jude Medical on Sept. 7 filed a lawsuit against Muddy Waters and MedSec alleging defamation by implication, deceptive trade practices, violations of certain federal and Minnesota state statutes and civil conspiracy (see St. Jude Medical Files Lawsuit Over Device Security Report).
Muddy Waters and MedSec plan to issue an "answer" to the St. Jude Medical federal lawsuit on Oct. 24, a spokesman for the investment firm says.
In promoting the video on the website, Muddy Waters says: "Seeing is believing - the following videos demonstrate in detail four new attacks that show Merlin@homes can be made to broadcast potentially lethal commands to implantable devices."
Device Flaw Reporting Methods Questioned
After the release of the report in August, Muddy Waters and MedSec came under heavy criticism by some cybersecurity experts and others who complained that the companies potentially put patients at risk by bypassing the usual practice of notifying vendors or government agencies before going public with cybersecurity vulnerabilities found in medical devices.
Joshua Corman, a founder of I Am The Cavalry, a grassroots, not-for-profit cyber safety organization and director of the Cyber Statecraft Initiative at the Atlantic Council, tells Information Security Media Group that Muddy Waters in its new video appears again to be circumventing notifying regulators before going public with potential medical device security and patient safety findings.
"Were details shared this time with the Food and Drug Administration and/or Department of Homeland Security so that a safe communication plan based on ground truth can be communicated to patients and affected stakeholders?" he asks. If not, the investment firm is "using the same scare tactics again, but that doesn't mean the findings are true," Corman contends. "If people don't have a vetted plan [to mitigate the potential risks], they may make decisions based on fear that are even more of a risk to safety."
St. Jude Responds
In a statement, St. Jude Medical says: "Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St. Jude Medical devices. This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry. We take this matter very seriously and will once again work to quickly evaluate this new information."
The company notes that it's forming a cybersecurity medical advisory board of physicians "to help ensure that St. Jude Medical's cybersecurity protections continue to be innovative without jeopardizing patient care."
The medical device maker says that "patients, physicians and caregivers deserve better than the irresponsible release of information that is intended for financial gain and is unnecessarily frightening."
A Muddy Waters spokesman tells ISMG: "As stated in the video, the issue with the [device] programmer is a new security flaw that was discovered as part of MedSec's ongoing research. We can't comment on what exactly has been provided to the FDA because this is an active investigation."
In a statement provided to ISMG, the FDA says it is aware of the allegations raised in the new videos made public by Muddy Waters. "We have been working closely with the Department of Homeland Security to evaluate cybersecurity vulnerabilities allegedly affecting St. Jude Medical devices to thoroughly assess all the claims. Based on information available to the FDA at this time, we recommend that patients continue to use their devices as directed by their doctor because the benefits of the devices far outweigh any potential cybersecurity vulnerabilities."
The FDA statement also notes: "The FDA strongly encourages coordinated disclosure of cybersecurity vulnerability information, which places the health of patients at the forefront. The process of coordinated disclosure as proposed in our draft guidance on Postmarket Cybersecurity of Medical Devices outlines what the agency and others in the healthcare public health and cybersecurity research community believe to be the best way to address device safety in a timely way while reducing risk to the public health. This includes medical device manufacturers and cybersecurity researchers working together in an open, trusted environment to identify, assess and remediate potential vulnerabilities.
"It also includes transparency and timeliness by medical device manufacturers in communicating with patients and healthcare professionals about known vulnerabilities and how to mitigate them. The FDA will continue to encourage this type of proactive behavior so medical device vulnerabilities can be addressed in a way that best protects patients."
Profits Over Patients?
The Profits Over Patients website and video "were set up and produced by Muddy Waters, which has a short position in St. Jude, meaning they stand to gain financially if the price of St. Jude's stock falls," the investment firm's spokesman says. "This is all pretty clearly disclosed in the video, the reports and on the site itself."
Abbott Laboratories plans to acquire St. Jude Medical for $25 billion by the end of this year. In the Profits Over Patient's website featuring the new Muddy Waters video, the investment firm asks whether "St. Jude management [is] too focused on trying to sell to Abbott to know they're giving some completely wrong assurances" about the cybersecurity and safety of their devices.
Review of Claims
Since the release of the August report, independent researchers from the University of Michigan examined some of the claims made by MedSec about the security vulnerabilities that the firm allegedly found in St. Jude Medical cardiac products, and the results were inconclusive.
"The jury is still out, and we need to figure out if these vulnerabilities ... lead to clinical risk," said Kevin Fu, associate professor of electrical engineering and computer science at the University of Michigan, where he directs the Archimedes Research Center for Medical Device Security.