Medical device security ignites an ethics firestorm

Security firm Medsec tried to use its research findings to drive down the stock of St. Jude Medical

One security research company is taking a controversial approach to disclosing vulnerabilities: It’s publicizing the flaws as a way to tank a company’s stock.

The security firm, MedSec, made news on Thursday when it claimed that pacemakers and other health care products from St. Jude Medical contain vulnerabilities that expose them to hacks.

However, MedSec is also cashing in on the disclosure by partnering with an investment firm that’s betting against St. Jude Medical’s stock.

The whole affair is raising eyebrows around the security community. It may be the first time someone has tried to get compensated for discovering vulnerabilities by shorting a stock, said Casey Ellis, CEO of Bugcrowd, a bug bounty platform.

That approach raises ethical issues because MedSec first disclosed the problems to the investment firm instead of to St. Jude's, which might have fixed them if it knew.

“I think this could absolutely put patients in harm’s way,” said Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council think tank.

Raising awareness or a cash grab?

St. Jude Medical has dismissed Medsec's allegations as untrue. On Friday, the company issued a lengthy statement pointing to what it called flaws in the research claims.  

Still, St. Jude Medical’s stock has fallen by about 5 percent since the vulnerabilities were made public.

MedSec has been defending its actions. The Florida-based company has spent the last 18 months looking at security flaws in medical devices across the major manufacturers.

“St. Jude Medical stood out, far and away, as severely deficient when it comes to security protections," CEO Justine Bone said in a Bloomberg interview.

But Medsec said it didn't tell St. Jude Medical because the company has a history of ignoring security issues, despite past regulatory action.

“We felt notifying the company would simply give it a chance to prepare its ‘messaging’ in an effort to sweep this under the rug,” MedSec said in an email.

However, the security firm didn’t do its research for free. Muddy Waters Capital is the investment firm that has shorted St. Jude Medical’s stock. It’s paying both a licensing fee and forwarding profits from its investments to MedSec as compensation for the research.

“Of course, we are looking to recover our costs here,” Bone said in the Bloomberg interview.

Unintended side effects

Despite MedSec’s claims, not everyone agrees with the company’s approach. Some have even called it dangerous and fear that hackers may now target products from St. Jude Medical.

“How disclosure happens is critical,” Corman said. “If we bring too much attention to these vulnerabilities, adversaries may want to target them.”

Nevertheless, it’s no secret that many medical devices on the market have flaws, said Corman, who is also the co-founder of I Am The Cavalry, a security advocacy group. The healthcare industry has been working to reform itself after years of little regulatory guidance, he said.

But disclosing a defect in a pacemaker isn’t as simple as finding a flaw in a website. “These are flaws in a product that are being put in a human being’s chest,” Corman said. “You would need surgery to remove them.”

He’s questioning why MedSec didn’t work through U.S. regulators, including the Food and Drug Administration, to address the alleged problems. Patients and hospitals then could have been properly notified.

In its defense, MedSec claims St. Jude Medical can take certain measures to immediately minimize the security risks. It’s also said that it did inform the FDA prior to Thursday’s disclosure.

Time to worry?

It's not clear whether patients should be worried. Although MedSec is warning the public, the FDA is still investigating the issue.

“At the present time, patients should continue to use their devices as instructed and not change any implanted device,” the FDA said on Friday.

Corman also said that despite the security risks, implanted medical devices save far more lives than they jeopardize. In addition, St. Jude Medical says most of the alleged vulnerabilities are only found in older versions of a patient-monitoring product that did not receive automatic updates.

Still, the incident is forcing the security industry to take a closer look at its practices.

“Is it right to profit off what is fundamentally a safety risk?” Bugcrowd's Ellis said. He wonders if an event like this could hurt cooperation between security researchers and vendors and make their relationships more combative.

Javvad Malik, a security advocate at the security company AlienVault, said he empathized with researchers who were frustrated with the persistent vulnerabilities in medical devices.

“However, despite good intentions, this can set a worrying precedent,” he said in an email. He worries that other security researchers will prioritize making money over properly disclosing a vulnerability.

Join the CSO newsletter!

Error: Please check your email address.

More about AlienVaultAtlanticBloomberg

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place