A flawed medical device, a troubling response

A case involving software vulnerabilities in medical electronics reveals the inability for both the health care sector and federal regulators to swiftly address cybersecurity problems.

 

This past fall, an investment firm rattled the health care industry with unsubstantiated claims of multiple software vulnerabilities in internet-connected pacemakers and cardiac defibrillators.

But it took federal authorities who regulate medical devices four months to acknowledge only one of the alleged defects, and for the company, St. Jude Medical, to patch it.

The delayed response to a problem that could potentially put patients at risk raises many questions about why it took so long for the government to act, and what it will take for the health care industry to respond more swiftly to bugs in medical equipment increasingly connected to the internet.

"Software is never perfect and all systems still will have these flaws," says Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council and an expert on medical device security. "The question is how gracefully and collaboratively and quickly and safely can we respond to these flaws."

In this particular case, legal action as well as the unusual way the St. Jude vulnerabilities came to light may have stifled the response. A cybersecurity firm called MedSec initially discovered the problems in the St. Jude devices and tipped off the activist investment firm Muddy Waters, which publicized the flaws and advised clients to bet against the health care firm's stock. 

As a result, St. Jude lodged a defamation lawsuit against MedSec and Muddy Waters, denying many of the alleged glitches in its pacemaker and implantable defibrillator systems.

"In theory, most disclosures now should take about 60 days to get to some clarity or resolution," said Corman. "In part, because of the contentious nature and the lawyers involved in this particular one, it took about five months."

Last week, the Food and Drug Administration along with the Department of Homeland Security confirmed at least some of MedSec's findings and reported a flaw in the St. Jude @Merlin transmitter, an at-home computer that sends data from cardiac implants to the patient's medical team. The flaw could have allowed malicious hackers to remotely exhaust an implant's battery power or potentially harm the patient. 

St. Jude spokeswoman Candace Steele Flippin said in an emailed statement that following the release of Muddy Waters' claims in August, the device manufacturer "carefully reviewed the claims in these reports along with our existing plans for our cyber ecosystem," evaluated them with FDA, DHS, and outside security researchers, and then identified the improvements announced on Jan. 9 and noted further enhancements "we will be making in the coming months."

But Muddy Waters said the problems may take as long as two years to fix. Carson Block, the firm's founder, said this week the root causes of the vulnerabilities demand a change to firmware inside the St. Jude implants themselves.

The firm said in a statement, "these issues have just been given a quick fix by St. Jude with the government's blessing and cardiologists should go with other pacemaker manufacturers since they are much better on cybersecurity."

It's important to note that all the players in this medical legal drama, as well as the Veterans Affairs Department, which buys St. Jude devices, say there have been no reports of patient harm related to the cybersecurity vulnerabilities reported late August. In fact, the VA in recent months has continued paying for operations involving St. Jude  devices, according to contract documents. 

Ever since the US government and St. Jude confirmed the one flaw, the VA has been "taking steps to be sure all our patients and providers are aware of this issue and take appropriate actions to be sure that all our patients get the update for their monitor,” said Merritt Raitt, acting director of the VA National Cardiac Device Surveillance Program.

The controversy could have been partly avoided, perhaps, if St. Jude and MedSec had followed new federal regulations for medical device security that encourage manufacturers to be more proactive about addressing potential vulnerabilities. 

A week before federal regulators publicized the one St. Jude glitch on Jan. 9, they announced the completion of a 2016 draft policy that might have yielded multiple fixes in two months without anyone resorting to public shaming or legal action.

On Jan. 4, DHS circulated the final Food and Drug Administration (FDA) cybersecurity guidelines for monitoring networked medical devices on the market that threaten manufacturers with penalties such as a recall unless they cooperate with bug hunters to patch vulnerabilities within 60 days.

Corman recommends that providers, including VA, heed all the literature that's been published on the St. Jude glitches, including a DHS technical advisory, FDA security communication, MedSec report, and guidance written by Bishop Fox, a cybersecurity consultancy Muddy Waters hired in response to the lawsuit.

"Just understand that the FDA and DHS do need to get the ground truth, that security researcher claims do need to be validated through the normal regulatory process," he says.

Editor's note: This story was updated after publication to clarify the timing of draft federal regulations for medical device security. An earlier version of the story also incorrectly attributed a quote regarding cybersecurity in St. Jude devices to a MedSec official.