Medical researchers at MedSec announced through private equity firm Muddy Waters Capital that thousands of St....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Jude Medical's Merlin@home cardiac devices have serious security flaws. The report claims that pacemakers, defibrillators and other devices can be attacked and caused to malfunction or fail. How serious are the potential vulnerabilities in these IoT medical devices? Was MedSec's announcement ethical, considering the dangers of medical device hacking to patients?
The ethics of vulnerability disclosure are frequently debated when someone does something unique or new with the announcement of a vulnerability. MedSec's announcement in August through private equity firm Muddy Waters Capital was intended to short St. Jude Medical's stocks. Major security issues or data breaches don't frequently cause long-term disruption to share prices, but may cause a short-term drop, which could be how Muddy Waters Capital tried to profit from this announcement.
The ethics of the situation are unclear, as many security researchers announce vulnerabilities publicly to ensure the public is aware of the issue and can take action. In the case of medical devices, the U.S. Food and Drug Administration (FDA) has established policies for recalls, but the FDA's engagement with internet of things (IoT) medical devices has been complicated.
The risks around IoT medical devices began gaining media attention when doctors disabled the wireless functionality in former U.S. Vice President Dick Cheney's pacemaker to prevent it from being hacked.
The specific risks to enterprises using St. Jude Medical's Merlin@home cardiac devices was unclear at first; a different set of researchers from the University of Michigan were not able to conclusively reproduce MedSec's findings. However, IT security consulting firm Bishop Fox later conducted research and offered expert witness testimony that showed the cardiac devices had "serious security vulnerabilities" that could allow attackers to disable the devices or deliver electric shocks to patients.
The vulnerabilities included flaws in the encryption of the radio frequency protocol used by St. Jude Medical, as well as a backdoor to the devices that Bishop Fox said was "relatively easy to discover."
After several months, St. Jude Medical recently issued security patches for the vulnerabilities.
Enterprises using IoT medical devices should evaluate the IT aspects as thoroughly as other aspects of the device. As part of this evaluation, enterprises can use the Manufacturer Disclosure Statement for Medical Device Security.
Learn about three areas in healthcare where IoT can make a big impact
Find out how IT teams can manage the challenges presented by IoT medical devices
Discover how to protect IoT medical devices from the Conficker worm
Dig Deeper on Data loss prevention technology
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.