It’s just rare that all these things come together in a real-life event, as they have with the St. Jude Medical pacemaker-hacking debacle. And it’s even more awful when someone dies in the background as companies fight over press coverage, hacks and cash — which is exactly the twist that happened this week.
If you’re not familiar with the story, here’s the light version.
Last August, short-selling firm Muddy Waters and its business partner, security company MedSec Holdings, released a set of scathing and hotly contested findings. The report said St. Jude Medical’s pacemakers and implantable heart devices have critical security flaws.
Rather than the standard disclosure process, in which researchers go to the manufacturer first so they have an opportunity to fix and patch the flaws, both MedSec and Muddy Waters went public. As in, to the press. Where MedSec admitted that its payment for the damning security findings on St. Jude Medical was tied to Muddy’s profits.
Muddy Waters founder Carson Block gave investors — and press — a report warning “that tens of thousands of Americans are living with ticking time bombs: St. Jude pacemakers and defibrillators that are easily compromised, causing potentially fatal disruptions.”
Even though that is still in the realm of Hollywood and CSI: Cyber fantasy, Block went on Bloomberg TV spreading some serious fear. “The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction.” He added that St. Jude Medical “should stop selling these devices until it has developed a new secure communication protocol.”
While there have been documented cases of police investigations supported by pacemaker surveillance, there have been no documented cases of mass pacemaker hacking.
The report hit the news, and shares of St. Jude immediately fell 5 percent. St. Jude Medical called the Muddy Waters report “false and misleading,” saying most of the findings applied to older and unpatched versions of its devices.
In a blog post, MedSec CEO Justine Bone gave a parenthetical on why it didn’t disclose to the manufacturer first, saying the company believed St Jude Medical “has known about security problems in their products since at least 2013.” But MedSec said that because the devices had such bad security, it believed going to the press and Muddy Waters was “the only way to spur St Jude Medical into action.”
“For the past 18 months, our team has been quietly evaluating the security of various medical devices,” wrote Ms. Bone. She continued: “One company, St Jude Medical, has stood out as lagging far behind. For years this company has continued to put patients at risk by profiting from the sale of devices and a device ecosystem which has little to no built-in security.”
Some in infosec said the researchers were endangering patients and behaving unethically by not telling St. Jude Medical about the problems first. Debates raged about responsibility, disclosure and the role of the press. Some wondered if the findings were reproducible, and called for independent audits to objectively determine what was really going on — some researchers even had conflicting findings.
Ultimately, St. Jude Medical’s stock plunged as much as 10 percent in the aftermath. The company launched a lawsuit against MedSec and Muddy Waters, and the three firms skirmished in the press again when MedSec’s findings were allegedly reproduced by security firm Bishop Fox. What’s more, the second set of researchers claimed they could take over the pacemakers at a distance of around 10 feet.
At the time of the Muddy Waters press drama, the Food and Drug Administration declined to comment on St. Jude’s devices.
Now the FDA has something to say, and it looks like MedSec was right. According to a scathing letter from the FDA, St. Jude Medical knew about grave security issues in its implantable medical devices as early as 2014 “but failed to address them with software updates or by replacing those devices.”
The government concluded that St. Jude Medical, “time and again, failed to adhere to internal security and product-quality guidelines, a lapse that resulted in at least one patient death.”
Despite learning about vulns in its April 2014 security tests from a hired third party, St. Jude Medical “failed to accurately incorporate the findings of that assessment” in subsequent risk evaluations for its devices. The FDA said one of the serious flaws is a “hardcoded universal unlock code” for the company’s High Voltage heart implants.
St. Jude Medical parent company Abbott responded with a statement saying that “patient safety comes first” and it “takes these matters seriously, continues to make progress on our corrective actions, will closely review FDA’s warning letter, and are committed to fully addressing FDA’s concerns.”
“It is refreshing to see the disclosure,” Bone told press. “St. Jude Medical, for the first time, publicly acknowledge that they knew about [the security risks], but continued to sell these products and have them implanted in patients,” she said.
I’ll be honest: I didn’t want to revisit the Muddy Waters, MedSec and St. Jude story. Going to the press before actually working for a fix isn’t really a clever stick, and it’s certainly not an effective one when there’s no carrot. And then to see that bad behavior rewarded by a too-little-too-late FDA spanking…
It’s a good reminder of why infosec’s limelight addiction makes me sick. Making hack-scare headlines for profit about a situation in which someone actually died is repulsive.
And I don’t know about you, but I scream into the wind every week right here on these pages wishing it wasn’t happening. Not like this. I write hoping no one dies in the middle of a story where hackers say they want fixes, but maybe they’re in it more for the cash-headlines-fame, and we can no longer determine what it looks like when they really do care.
REUTERS/Brendan McDermid (St. Jude Medical stock)