The Big Short: Security Flaws Fuel Bet Against St. Jude

chicksdaddy writes: "Call it The Big Short -- or maybe just the medical device industry's 'Shot Heard Round The World': a report from Muddy Waters Research recommends that its readers bet against (or 'short') St. Jude Medical after learning of serious security vulnerabilities in a range of the company's implantable cardiac devices," The Security Ledger reports. "The Muddy Waters report on St. Jude's set off a steep sell off in St. Jude Medical's stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the 'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues stemming from remotely exploitable vulnerabilities in STJ's pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude's Merlin at home remote patient management platform, said Muddy Waters. The firm cited research by MedSec Holdings Ltd., a cybersecurity research firm that identified the vulnerabilities in St. Jude's ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed. In an e-mail statement to Security Ledger, St. Jude's Chief Technology Officer, Phil Ebeling, called the allegations 'absolutely untrue.' 'There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin at home and on all our devices,' Ebeling said."

More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters. Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay. "If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."

We're all giant security flaws from birth

[JoeMerchant]

You're born: without constant care you will die, you have to be provided with food, shelter and all manner of special care - your head flops around if you aren't held properly.

When we're more mature, we're still not bullet proof, knife proof, or able to withstand a sudden stop in the vehicles we travel in, there's a long list of chemical poisons that can kill, fast or slow, many undetectable - sudden death is a possibility during virtually every hour of every day. All it takes is a bad actor to point a gun, or crossbow, or speeding car in our direction and BOOM, we're dead, or worse, in an instant.

We sleep in houses with glass windows, we congregate in large public gatherings, we invite mass murder and mayhem all the time. A single bad actor can kill hundreds with no special resources or skills.

So, what's so scary about a pacemaker that can "be hacked" by someone with enough time and determination? Is it that they might get away with it untraceably? Hardly likely. With all the time and effort that would go into this sort of hack, you could literally commit "the perfect murder" a dozen different ways - many of them less likely to lead back to the perpetrator. If people start dying of hacked pacemakers, the FBI will start by looking at ex-employees of the company, related companies, and "white hat" outfits like in the article. It's a relatively small group, compared to people who might have access to sodium cyanide, or a handgun and a car.

Having said all that, it is past time for medical device companies to start at least "closing the window" on nefarious hackability of their devices, which is why the FDA released cybersecurity guidance a couple of years back.