Outside cybersecurity experts corroborated in a brief recently filed in a federal court Muddy Waters' and MedSec's claim that some St. Jude Medical implantable cardiac devices, home remote transmitters, and physician programmers are vulnerable to hacking. The legal filing is the firms' defense to St. Jude’s lawsuit alleging they knowingly disseminated false information about its products to depress the devicemaker’s stock.
Security consulting firm Bishop Fox began conducting an analysis of St. Jude's devices on September 26 with a team of three Bishop Fox consultants and four "outside, well-recognized cybersecurity experts." The analysis showed the devices have "serious security vulnerabilities," according the court filing.
Strengthening cybersecurity in healthcare
The federal government has been upping its healthcare cybersecurity efforts by taking steps like awarding funds to facilities to help them respond to network breaches.
The widespread response to cybersecurity issues comes as result of the healthcare industry being considered to be at higher risk for cybercrime than others, according to corporate healthcare lawyers surveyed by Bloomberg Law and the American Health Lawyers Association. Further, cybersecurity vendor NTTSecurity reported in September the vast majority of ransomware attacks (88%) went to healthcare facilities during Q2 2016.
There are several barriers to improving cybersecurity in the U.S. healthcare system, considering investments in cybersecurity for connected medical devices remain low, and medical device-related adverse events are underreported. ABI Research argues protecting medical devices requires the collaboration of manufacturers, providers, and health IT experts.
Interminable litigation
The dispute between the firms and the device maker sheds light on how complicated it can be to address new information about vulnerabilities to cyber attacks in medical devices, especially in an collaborative manner.
"Hackers can seize control of the Merlin home devices and use them to change therapeutic settings on patients’ devices," the cybersecurity team concluded. These home remote transmitters can also be "manipulated to deliver a T-wave shock to a patient (a shock that induces cardiac arrest), stop providing any therapy at all, rapidly deplete implanted device batteries, and disable certain communication functionalities," they added.
MedSec and Muddy Waters suggest St. Jude is "willing to risk patient safety for profits" as it became aware that roughly 350,000 of its devices may have defects in 2014 but it didn't inform patients and physicians until October of this year. St. Jude instead repeatedly denounced Muddy Waters’ claims in an August 25 report and an August 29 report that its devices are vulnerable to cyber attacks.
"St. Jude Medical stands behind the security and safety of our devices," the device maker said in an Oct. 19 statement. It also argued MedSec's and Muddy Waters' behavior "continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry."
On Oct. 11, although the FDA agreed the devices' batteries "may fail earlier than expected," it said patients should continue using the cardiac devices on their doctors’ advice. "The FDA believes that the benefits of monitoring outweigh any potential cybersecurity vulnerabilities."
However, St. Jude admitted certain device models could experience "rapid battery failure caused by deposits of lithium, forming within the battery, and causing a short circuit" and initiated a Class I recall on Monday, as well as a corrective action plan. Also, St. Jude announced it was forming a medical advisory board last week to focus on the cybersecurity of its medical devices. Hired researchers and St. Jude technology experts will work with the board to improve cybersecurity and patient safety.
Meanwhile, St. Jude has not dropped its lawsuit against the firms, though they have threatened to release the parts of their report that were redacted to protect patients "if and when they determine it is necessary to defend themselves" and requested that the court dismiss St. Jude's complaint.
Muddy Waters said St. Jude's response to its first report had two components: substance (20%) and fluff (80%). It argued that nearly half of the device maker's revenue would likely disappear for about two years because the devices in question collectively accounted for 46% of its 2015 revenue.
The investment research firm's predictions may prove to be true as the complete list of St. Jude's recalled devices appears to be quite extensive. To see all of the affected devices click here.