5 Hard Lessons from the St. Jude Connected Medical Devices Fiasco


May 25, 2017

Some life lessons happen the easy way, but most come the hard way. The saga surrounding the insecure pacemakers and defibrillators produced by St. Jude Medical taught its participants and observers many hard lessons in the wake of discoveries by MedSec, disclosures by Muddy Waters and investigations by the FDA and DHS.

Here's the history of the St. Jude medical device fiasco:

  • In the spring of 2016, St. Jude Medical was poised for acquisition by Abbott Laboratories
  • MedSec independently tested St. Jude cardiac devices and found security flaws
  • “[MedSec] reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec [would make] more money the further shares fall,” as noted on the Techdirt website
  • “Muddy Waters published a report announcing its short position in St. Jude on after receiving a report by cybersecurity firm MedSec that claimed St. Jude's cardiac devices are vulnerable to cyberattacks,” according to CNBC
  • St. Jude refuted the allegations made by Muddy Waters Capital and MedSec
  • St. Jude fired back with a statement posted on BusinessWire claiming MedSEC used "flawed test methodology on outdated software," demonstrating "lack of understanding of medical device technology."
  • St. Jude filed a lawsuit, according to Theatpost, in a Minnesota court alleging the report made unsubstantiated claims and was an attempt to manipulate their securities markets for what it believed was an illegal windfall
  • In the fall of 2016, the FDA and DHS jump into the fray to investigate claims that St. Jude medical devices were vulnerable to cyberattacks
  • In January 2017, “The FDA confirmed that St. Jude Medical's implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks,” according to an article on CNN Tech
  • An article on the Star Tribune noted that Abbott Laboratories acquired St. Jude in early January 2017 in a transaction worth $25 billion. Abbott said it had worked with the FDA and DHS to update and improve the security of the affected devices.

So, now that we know the story, what do take away? Do we focus on the odd twists and turns and miss the point of insecure medical devices? Let’s not. Let’s take a look at 5 hard lessons from these events as they relate to the security of connected medical devices:

  1. Don’t Ignore the Warnings: St. Jude learned of the MedSec report in the late summer of 2016, but refuted its content and chose not to update their devices. This showed a startling lack of concern.
  2. Small Medical Devices Count: New pacemakers can be smaller than a AAA battery, yet contain firmware that’s hackable (see above!). Medical devices manufacturers cannot and should not ignore small devices they produce because, frankly, hackers won’t.
  3. Others Can Influence Your Livelihood: If you produce medical devices, there are people who want to influence your livelihood - whether it’s your staff and other companies trying to protect your devices and protect your cash flow or those who seek to hack your devices and directly or indirectly decrease your cash flow.
  4. Consumer Trust is Paramount: During all of the “he said, she said” combat between the St. Jude camp and the Muddy Waters/MedSec camp, consumer trust is what suffered the most. Consumers rely heavily on manufacturers to produce safe connected devices.
  5. Safety First: We teach our children the idea of safety first, but sometimes lose sight of this concept as adults. So many of us rely on medical device manufacturers to protect our health for a range of needs. We need cybersecure devices that won't be used to harm us directly or many of us indirectly when used as attack vectors.