Modern field guide to security and privacy

A flawed medical device, a troubling response

A case involving software vulnerabilities in medical electronics reveals the inability for both the health care sector and federal regulators to swiftly address cybersecurity problems.

 

Brendan McDermid/Reuters
The ticker and trading information for St. Jude Medical displayed on the floor of the New York Stock Exchange on April 28, 2016.

This past fall, an investment firm rattled the health care industry with unsubstantiated claims of multiple software vulnerabilities in internet-connected pacemakers and cardiac defibrillators.

But it took federal authorities who regulate medical devices four months to acknowledge only one of the alleged defects, and for the company, St. Jude Medical, to patch it.

The delayed response to a problem that could potentially put patients at risk raises many questions about why it took so long for the government to act, and what it will take for the health care industry to respond more swiftly to bugs in medical equipment increasingly connected to the internet.

"Software is never perfect and all systems still will have these flaws," says Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council and an expert on medical device security. "The question is how gracefully and collaboratively and quickly and safely can we respond to these flaws."

In this particular case, legal action as well as the unusual way the St. Jude vulnerabilities came to light may have stifled the response. A cybersecurity firm called MedSec initially discovered the problems in the St. Jude devices and tipped off the activist investment firm Muddy Waters, which publicized the flaws and advised clients to bet against the health care firm's stock

As a result, St. Jude lodged a defamation lawsuit against MedSec and Muddy Waters, denying many of the alleged glitches in its pacemaker and implantable defibrillator systems.

"In theory, most disclosures now should take about 60 days to get to some clarity or resolution," said Corman. "In part, because of the contentious nature and the lawyers involved in this particular one, it took about five months."

Last week, the Food and Drug Administration along with the Department of Homeland Security confirmed at least some of MedSec's findings and reported a flaw in the St. Jude @Merlin transmitter, an at-home computer that sends data from cardiac implants to the patient's medical team. The flaw could have allowed malicious hackers to remotely exhaust an implant's battery power or potentially harm the patient. 

St. Jude spokeswoman Candace Steele Flippin said in an emailed statement that following the release of Muddy Waters' claims in August, the device manufacturer "carefully reviewed the claims in these reports along with our existing plans for our cyber ecosystem," evaluated them with FDA, DHS, and outside security researchers, and then identified the improvements announced on Jan. 9 and noted further enhancements "we will be making in the coming months."

But Muddy Waters said the problems may take as long as two years to fix. Carson Block, the firm's founder, said this week the root causes of the vulnerabilities demand a change to firmware inside the St. Jude implants themselves.

The firm said in a statement, "these issues have just been given a quick fix by St. Jude with the government's blessing and cardiologists should go with other pacemaker manufacturers since they are much better on cybersecurity."

It's important to note that all the players in this medical legal drama, as well as the Veterans Affairs Department, which buys St. Jude devices, say there have been no reports of patient harm related to the cybersecurity vulnerabilities reported late August. In fact, the VA in recent months has continued paying for operations involving St. Jude  devices, according to contract documents. 

Ever since the US government and St. Jude confirmed the one flaw, the VA has been "taking steps to be sure all our patients and providers are aware of this issue and take appropriate actions to be sure that all our patients get the update for their monitor,” said Merritt Raitt, acting director of the VA National Cardiac Device Surveillance Program.

The controversy could have been partly avoided, perhaps, if St. Jude and MedSec had followed new federal regulations for medical device security that encourage manufacturers to be more proactive about addressing potential vulnerabilities. 

A week before federal regulators publicized the one St. Jude glitch on Jan. 9, they announced the completion of a 2016 draft policy that might have yielded multiple fixes in two months without anyone resorting to public shaming or legal action.

On Jan. 4, DHS circulated the final Food and Drug Administration (FDA) cybersecurity guidelines for monitoring networked medical devices on the market that threaten manufacturers with penalties such as a recall unless they cooperate with bug hunters to patch vulnerabilities within 60 days.

Corman recommends that providers, including VA, heed all the literature that's been published on the St. Jude glitches, including a DHS technical advisory, FDA security communication, MedSec report, and guidance written by Bishop Fox, a cybersecurity consultancy Muddy Waters hired in response to the lawsuit.

"Just understand that the FDA and DHS do need to get the ground truth, that security researcher claims do need to be validated through the normal regulatory process," he says.

Editor's note: This story was updated after publication to clarify the timing of draft federal regulations for medical device security. An earlier version of the story also incorrectly attributed a quote regarding cybersecurity in St. Jude devices to a MedSec official. 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.