JJ'Studio - Fotolia
Medical researchers at MedSec announced through private equity firm Muddy Waters Capital that thousands of St. Jude Medical's Merlin@home cardiac devices have serious security flaws. The report claims that pacemakers, defibrillators and other devices can be attacked and caused to malfunction or fail. How serious are the potential vulnerabilities in these IoT medical devices? Was MedSec's announcement ethical, considering the dangers of medical device hacking to patients?
The ethics of vulnerability disclosure are frequently debated when someone does something unique or new with the announcement of a vulnerability. MedSec's announcement in August through private equity firm Muddy Waters Capital was intended to short St. Jude Medical's stocks. Major security issues or data breaches don't frequently cause long-term disruption to share prices, but may cause a short-term drop, which could be how Muddy Waters Capital tried to profit from this announcement.
The ethics of the situation are unclear, as many security researchers announce vulnerabilities publicly to ensure the public is aware of the issue and can take action. In the case of medical devices, the U.S. Food and Drug Administration (FDA) has established policies for recalls, but the FDA's engagement with internet of things (IoT) medical devices has been complicated.
The risks around IoT medical devices began gaining media attention when doctors disabled the wireless functionality in former U.S. Vice President Dick Cheney's pacemaker to prevent it from being hacked.
The specific risks to enterprises using St. Jude Medical's Merlin@home cardiac devices was unclear at first; a different set of researchers from the University of Michigan were not able to conclusively reproduce MedSec's findings. However, IT security consulting firm Bishop Fox later conducted research and offered expert witness testimony that showed the cardiac devices had "serious security vulnerabilities" that could allow attackers to disable the devices or deliver electric shocks to patients.
The vulnerabilities included flaws in the encryption of the radio frequency protocol used by St. Jude Medical, as well as a backdoor to the devices that Bishop Fox said was "relatively easy to discover."
After several months, St. Jude Medical recently issued security patches for the vulnerabilities.
Enterprises using IoT medical devices should evaluate the IT aspects as thoroughly as other aspects of the device. As part of this evaluation, enterprises can use the Manufacturer Disclosure Statement for Medical Device Security.
Learn about three areas in healthcare where IoT can make a big impact
Find out how IT teams can manage the challenges presented by IoT medical devices
Discover how to protect IoT medical devices from the Conficker worm
Dig Deeper on Data loss prevention technology
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading