Back in September 2016, St. Jude Medical Inc. sued security research firm MedSec and investment research outfit Muddy Waters, accusing them of intentionally publicising false information about its heart monitoring devices to manipulate its stock.
Muddy Waters had publicly announced during the previous month that St Jude’s pacemakers and defibrillators - used to control heart rhythm and treat cardiac arrest, had cyber-security flaws that enabled them to be hacked and manipulated, with potentially fatal consequences. The entire saga raised two major concerns:
- Cyber-criminals could threaten the integrity of financial markets, for example, by shorting stocks before attacking listed companies and pocketing illicit gains. In this instance, Medsec had taken a short position on St Jude’s stock prior to disclosing the vulnerabilities, betting on the price to decline.
- Poorly secured, internet-connected medical devices, such as St Jude’s heart monitoring devices, could be manipulated by hackers, endangering patients.
Fortunately, the US Food and Drug Administration (FDA) and the Department of Homeland Security didn’t take St Jude’s words at face value - they launched an investigation to assess the validity of its claims.
And now it appears that Medsec and Muddy Waters’ assertions, despite their motives, were correct. After a five month investigation, the FDA recently released the following statement:
The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.
As I highlighted in my recent article, most manufacturers prioritise device functionality over security. The motivations behind this approach are clear: Low product development costs, faster time to market and higher profits. In some cases, it’s just outright negligence, with manufactures adopting a “we will do it later” attitude.
Retrofitting cyber security into operational products is difficult, complex and expensive. Also, this approach is both irresponsible and short sighted. Irresponsible because neglecting security exposes human lives to risk. Short sighted because these flaws can severely dent customer trust, infuriate regulators or ultimately destroy a device manufacturer's business.
I cannot make this point too strongly: Automation is positively transforming the way health care workers deliver patient care. It also lowers operating costs for medical institutions, freeing up capital for research and other important needs.
Medical institutions should embrace innovative technologies, but they need caution as well. One way to limit their exposure is defining stringent set of “non-negotiable” cyber security requirements prior to adopting new devices, engaging experts to test the effectiveness of these controls prior to deployment and ensuring suppliers remain committed to long term security of their products. Regulators also have a significant part to play, specifically mandating cyber security certification requirements for all vital medical devices.
Its comforting that both the FDA and St Jude's confirmed that there have been no reports of patient harm related to these cyber-security flaws or vulnerabilities. However, these significant discoveries should serve as a call to action.