A group of researchers from the cybersecurity start-up MedSec has opened up an ethics debate after it combined with an investment firm to short the stock of a maker of medical devices in order to make it aware of vulnerabilities in its products.
Staff from Miami-based MedSec found that the defibrillators and pacemakers manufactured by St Jude Medical, which is headquartered in St Paul, Minnesota, had security holes that could put lives at risk. St Jude also has branches in Japan, Brazil, Costa Rica and Belgium.
But they did not inform the company or post the information to any security mailing list where such vulnerabilities are normally ventilated. They did not try to sell their knowledge of the flaws on the grey market either.
Instead, the MedSec team contacted Carson Block, who runs Muddy Waters Capital, an investment firm, and made a deal: he would short the St Jude stock while they would provide information that the equipment could be life-threatening.
{loadposition sam08}There was an additional condition: the cost of their information would increase in proportion to the fall in the St Jude stock. If the gamble hadn't paid off and the stock had not fallen, then MedSec stood to lose.
But as it turned out, things did go their way. The St Jude stock fell by as much as 4.4% in New York on 26 August, to US$77.50.
This could well affect a planned US$25 billion takeover of St Jude which was announced by Abbott Laboratories in April.
The MedSec findings were made public by Muddy Waters on 26 August. Block sent the report to all his investors, advising that close to half of St Jude's revenue could disappear for about two years. At the time, St Jude had a market cap of US$23.3 billion.
Defending what MedSec had done, the company's chief executive Justine Bone wrote: "For the past 18 months, our team has been quietly evaluating the security of various medical devices.
"As a result of our research to date, one company, St Jude Medical, has stood out as lagging far behind. For years this company has continued to put patients at risk by profiting from the sale of devices and a device eco-system which has little to no built-in security.
"We believe St Jude Medical has known about security problems in their products since at least 2013, but it is apparent from the lack of security protections or mechanisms in their product line that very little action has been taken."
She said that in order to help address patient safety, MedSec had departed from standard operating procedures "in order to bring this to the public’s attention and to ensure that St Jude Medical responds appropriately and with urgency. We have shared our research with an investment firm, Muddy Waters Capital, that is helping us deliver this message.
Bone said: "The time has come for us to re-think the way cyber security is managed. We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action."
For its part, St Jude Medical called the allegations made by Muddy Waters and MedSec "irresponsible, misleading and unnecessarily frightening (to) patients".
Michael Rousseau, president and chief executive of St Jude, said: "We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices. This behaviour speaks volumes about the profit-seeking motives and integrity of these organisations."
He added: "St Jude Medical devices are designed to go into a life-sustaining 'safe' mode, as a safeguard, if unexpected conditions are detected.
"These safeguards will put the device into safe mode where the pre-programmed pacing and defibrillation functions of the implantable medical devices revert to safe settings. In addition, some of our devices, by design, disable further RF communications for a period of time, which may appear to the untrained eye as having rendered the device disabled, although it continues to function."