So far, St. Jude Medical weathering cybersecurity scrutiny

A report saying its devices lacked needed safeguards has so far proved untrue.

By Joe Carlson Star Tribune

September 3, 2016 — 2:00pm

The interrogation took place in a darkened room, a single lamp illuminating the subject in the shaky internet video.

Two faceless men can be heard discussing the process of breaking down their subject. Off camera, one narrates the plan to crack the subject's defenses. A good deal of money is on the line as the man in the video, after 15 minutes, displays the subject again, apparently broken, beaten.

The subject in the video last week was no kidnapping victim or enemy combatant. It was a Minnesota-made pacemaker.

The pacemaker's manufacturer, St. Jude Medical in Little Canada, said the hackers did not break their device as claimed. But that was after the short-seller Muddy Waters Securities publicized the supposed vulnerabilities Aug. 25 and disclosed it had made investments allowing it to profit if St. Jude's stock price tanks. The alleged wireless security vulnerability, if proved, could apply to many thousands of implanted devices.

On Thursday, private cybersecurity firm Virta Labs in Michigan published a report that analyzed Muddy Waters' claims and found them unsupported. Investors appear to be sticking with the stock for now, and doctors said they aren't making changes without more definitive evidence.

If the gambit nets a profit for Muddy Waters, med-tech security experts said more videos and reports are likely to surface, prompting questions about the legality and ethics of publishing security flaws in lifesaving devices — especially without first informing the manufacturer, which Muddy Waters did not do.

"Will it happen again? Sure," said Brian Isle, a medical device cybersecurity consultant and University of Minnesota senior fellow. If short-sellers with allegations about vulnerable medical devices "can make money off of it, they'll do it again."

David Hall, a former prosecutor whose private legal practice in Philadelphia includes cybersecurity issues, said Muddy Waters' attempt to profit by publicizing alleged security flaws appears legal — assuming the information was obtained legally and is accurate. "You could analogize it to Consumer Reports," he said.

St. Jude executives have said Muddy Waters' claims appear to be false.

"Interrogation" is the med-tech industry's term for wirelessly communicating with an implanted medical device. Usually done to read patient data and make sure a device is functioning, last week internet viewers saw a hacker interrogating a St. Jude Medical pacemaker to demonstrate a vulnerability purportedly created by gaps in its wireless security.

St. Jude officials said their product actually performed well under pressure.

Rather than crashing, the video appears to show the device going into the intended "safe mode" that was designed to ensure a device continues to work if attacked, St. Jude's Chief Technology Officer Phil Ebeling said in a statement. Independent experts and the Department of Homeland Security are working separately to evaluate the alleged problems.

Medical devices have long been said to harbor security gaps that could allow a malicious hacker to disable or disrupt the lifesaving machines.

Researchers demonstrated vulnerabilities in pacemaker security in an industry publication as early as 2008. That was one year after then-Vice President Dick Cheney received a defibrillator with its wireless communications features turned off because of security concerns.

Cybersecurity researchers have reported concerns about many medical devices to the government since then, culminating in last year's warning from the Food and Drug Administration that hospitals stop using Hospira's Symbiq drug-infusion pump because of security vulnerabilities.

The people who find security problems in medical devices often approach the manufacturers first so that the company can confirm the issue and devise solutions.

"If there is no mitigation for a discovered vulnerability, and you disclose it, you actually put more people at risk," said Mike Ahmadi, director of critical systems security at software firm Synopsys who has personally discovered cybersecurity flaws in medical devices. "We have to keep in mind that regardless of the potential inherent risks of these devices, they are indeed keeping people alive."

Muddy Waters said it has told federal officials about the alleged security vulnerabilities, while redacting key details from its public report to avoid giving attackers a "road map."

The private researchers who discovered the alleged vulnerabilities with St. Jude's heart devices said they took their concerns to a short-selling firm because they weren't confident St. Jude would address the issue. Justine Bone, CEO of Florida-based MedSec Holdings, which discovered the alleged problems, has said St. Jude knew about the security problems since at least 2013.

"In order to help address patient safety, we have chosen to depart from standard cyber security operating procedures in order to bring this to the public's attention and to ensure that St. Jude Medical responds appropriately and with urgency. We have shared our research with an investment firm, Muddy Waters Capital, that is helping us deliver this message," Bone wrote on MedSec's blog.

St. Jude officials said they partner with industry insiders to develop safeguards because of the "dynamic and changing nature of cybersecurity."

Muddy Waters, registered in California, has a track record of challenging large companies that it sees as having inflated values because of "opacity and hype," according to its website.

The firm was founded by short-seller Carson Block, whose past targets have included Chinese timber company Sino-Forest Corp. That company had a $6 billion market cap before Block called the firm a fraud and shorted the stock, eventually forcing it into bankruptcy protection.

MedSec, on the other hand, is a virtual unknown in the industry, Ahmadi said.

"Nobody who I work with knows who these people at MedSec are," Ahmadi said. "Usually before things like this hit the press, we all know about it. People talk. … This blindsided everybody. We don't know where it came from."

MedSec said it discovered the flaws during testing of several companies' devices. St. Jude's stood out for the gaping vulnerabilities, stemming from use of off-the-shelf chips, a lack of encryption in certain parts of devices, and a removable hard drive in a St. Jude communications device used to interrogate implanted St. Jude devices, according to a 34-page research report from Muddy Waters.

It might be too early to know whether Muddy Waters and MedSec acted ethically, because no regulator or independent group has validated MedSec's findings, no peer-reviewed research has been published, and no one has proved what St. Jude officials knew and when they knew it.

University of Michigan cybersecurity researcher Kevin Fu, whose team has expressed doubts about one claim in Muddy Waters' report, said the ongoing controversy has had at least one positive side effect.

"I suspect that this is going to generate some very healthy debate. I'll give them that," Fu said. "This has raised a very important debate, over how to protect the security of medical devices in the public interest, for the public good."

Joe Carlson • 612-673-4779

StarTribune

So far, St. Jude Medical weathering cybersecurity scrutiny

Tennessee lawmakers adjourn after finalizing $1.9B tax cut and refund for businesses

Net neutrality restored as FCC votes to regulate internet providers

Biden celebrates computer chip factories, pitching voters on American 'comeback'

Athletic director used AI to frame principal with racist remarks in fake audio clip, police say

Selling weight-loss and muscle-building supplements to minors in New York is now illegal