If you haven’t guessed by now, I’m describing the allegations made by Muddy Waters Capital and MedSec about St. Jude Medical Inc.’s pacemakers and defibrillators, claiming they could be tampered with in such a way that it would prove unsafe for patients. This prompted St. Jude to question several of the findings as well as the testing method used to acquire those results. Also, an independent report from the University of Michigan put the original report’s findings into further question.
“We’re not saying the report is false. We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue,” said Kevin Fu, U-M associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security.
On a positive note (in my opinion anyway), in this case, St. Jude not only disputed the findings publically, but also filed a lawsuit against the authors of the original report (read more in Top of the News). While some may say that a lawsuit could dissuade future researchers from reporting cybersecurity issues to medical device manufacturers out of fear of similar retaliation, I don’t consider that to be likely. The last thing any firm wants to be is the first to have a real cybersecurity issue that leads to the death of a patient using its product. A company is going to welcome legitimate reports of vulnerabilities with their devices. What needs to come to an end are false claims generated under fabricated conditions that do not resemble real-world scenarios so as to garner publicity or financial gain.
While there were published articles and quotes in newspapers regarding the cybersecurity of medical devices going back many years, the possibility truly became a significant concern in 2011. At a Black Hat security conference, security researcher Jay Radcliffe, a diabetic, discussed how he hacked his own glucose monitor/insulin pump system and was able to deliver what would have been a lethal dose of insulin. While his conditions for doing so were ideal to gain access to manipulate the system, the event thrust cybersecurity and medical devices into the public’s view.
Since then, we’ve been treated to the assassination of the vice president through the hacking of his pacemaker on the television show Homeland. While purely fiction, this event did nothing to ease any fears of such a reality as the deluge of articles from non-fiction sources that followed “confirmed” just how possible it was to actually hack a pacemaker or other medical device. Wonderful…
The event has also been reported to have occurred several times since. In 2015, a team of students from the University of South Alabama claimed to have gained access to an implantable pacemaker and were able to manipulate it without “special access.” Turns out, the pacemaker was a part of a patient simulator system. The students actually gained access to this system and were able to manipulate the pacemaker through it. Hardly a “real-world scenario.”
There was also the report of a Hospira Inc. infusion pump that was hacked rather easily. In that scenario, it turned out the person conducting the demonstration had previously altered the device’s firmware through physical access, something that could not have been accomplished in a wireless attack, which is what was being claimed. A security concern, sure, but certainly not the issue as it was originally presented.
In all of these incidents, the initial response was great concern over a piece of medical equipment being made unsafe by an individual presumably without physical access.
While fortunate in these situations that the incident was not accomplished as easily as it seemed, they continue to remind us of just how serious a matter medtech cybersecurity is. On the other hand, each time a false, staged, or rigged hacking demonstration is revealed, it could cause some to see cybersecurity issues as trivial.
It is critically important that manufacturers take cybersecurity of their medical devices with the utmost seriousness. They need to be intimately familiar with what the FDA permits with regard to updates to software and make patches available to their products in the field to address any vulnerabilities discovered after product launch. No software is going to be 100 percent bug-free at release, and the medtech industry needs to recognize that, regardless of the regulatory environment. Because first is the last position any medical device manufacturer wants to be in when it comes to their product being accessed remotely and resulting in a patient’s death.