JJ'Studio - Fotolia
How serious are the flaws in St. Jude Medical's IoT medical devices?
MedSec and Muddy Waters Capital revealed serious flaws in IoT medical devices manufactured by St. Jude Medical. Expert Nick Lewis explains the severity of these vulnerabilities.
Medical researchers at MedSec announced through private equity firm Muddy Waters Capital that thousands of St. Jude Medical's Merlin@home cardiac devices have serious security flaws. The report claims that pacemakers, defibrillators and other devices can be attacked and caused to malfunction or fail. How serious are the potential vulnerabilities in these IoT medical devices? Was MedSec's announcement ethical, considering the dangers of medical device hacking to patients?
The ethics of vulnerability disclosure are frequently debated when someone does something unique or new with the announcement of a vulnerability. MedSec's announcement in August through private equity firm Muddy Waters Capital was intended to short St. Jude Medical's stocks. Major security issues or data breaches don't frequently cause long-term disruption to share prices, but may cause a short-term drop, which could be how Muddy Waters Capital tried to profit from this announcement.
The ethics of the situation are unclear, as many security researchers announce vulnerabilities publicly to ensure the public is aware of the issue and can take action. In the case of medical devices, the U.S. Food and Drug Administration (FDA) has established policies for recalls, but the FDA's engagement with internet of things (IoT) medical devices has been complicated.
The risks around IoT medical devices began gaining media attention when doctors disabled the wireless functionality in former U.S. Vice President Dick Cheney's pacemaker to prevent it from being hacked.
The specific risks to enterprises using St. Jude Medical's Merlin@home cardiac devices was unclear at first; a different set of researchers from the University of Michigan were not able to conclusively reproduce MedSec's findings. However, IT security consulting firm Bishop Fox later conducted research and offered expert witness testimony that showed the cardiac devices had "serious security vulnerabilities" that could allow attackers to disable the devices or deliver electric shocks to patients.
The vulnerabilities included flaws in the encryption of the radio frequency protocol used by St. Jude Medical, as well as a backdoor to the devices that Bishop Fox said was "relatively easy to discover."
After several months, St. Jude Medical recently issued security patches for the vulnerabilities.
Enterprises using IoT medical devices should evaluate the IT aspects as thoroughly as other aspects of the device. As part of this evaluation, enterprises can use the Manufacturer Disclosure Statement for Medical Device Security.