Just a few months ago, I highlighted the fact that many medical devices at hospitals and health-care institutions were accessible and often open to attack from the Internet. When this kind of news gets reported, it often spurs organizations into action, to secure their equipment. However, in a new twist, security researchers decided to take a different approach to teaching a medical device supplier a lesson in securing their equipment.
Vulnerabilities were recently discovered within a line of implantable devices supplied by medical equipment manufacturer St. Jude’s Medical. The products are known as the Merlin@home line of implantable pacemakers, defibrillators and other cardiac devices. Subsequent to the report’s release, St. Jude’s Medical released a statement, saying that their devices are secured with multiple layers of safeguards. However, the research company MedSec claims that Merlin@home products that use wireless mechanisms to control implanted devices are susceptible to remote, wireless attacks from up to 50 feet away, which could cause device malfunctions and premature battery depletion.
How do you make sure the manufacturer takes action to fix a security problem? Maybe bet against their stocks?
Interestingly, instead of taking the industry standard route of disclosing the vulnerabilities immediately to the supplier before making their report public, MedSec teamed up with equity investment fund Muddy Waters Capital to short the stocks of St. Jude’s Medical. This essentially amounts to betting against the device supplier based on a belief that when the public learned about these vulnerabilities they would lose confidence and sell their stock, resulting in a decline in share price. If the price does go down, then the equity fund (and anyone else) holding a short position in the stock stands to make money from the stock’s decline.
MedSec claimed that this was the only way to be sure that the manufacturer would take action. It’s not clear at this point why MedSec thought that the more standard approach of using responsible disclosure wouldn’t work with St. Judes Medical.
Here’s a Threatpost article on this story.
Shouldn’t there be better standards for making medical devices more secure?
Meanwhile, in related healthcare device news, the FDA is moving toward providing better security guidance for medical device manufacturers. However, it’s not a very aggressive move at this point. They are clarifying when manufacturers need to request an FDA review of their products, which includes situations when moving to wireless modes of communication. Obviously wireless communications have unique vulnerabilities relative to older, wired connections.
But the new guidelines tend to infer that if a change is made to a medical device that is a “cyber security improvement”, it is not as likely to require an FDA review. This seems a little short-sighted in that any change that involves security should be reviewed, to ensure that it doesn’t introduce more severe vulnerabilities than it is trying to address.
What do you think?
Here’s a link to the FDA story.