When Do Medical Device Security Flaws Equal Clinical Risk?Cybersecurity Expert Kevin Fu Analyzes Claims About St. Jude Medical Devices
At least some of the alleged cybersecurity vulnerabilities in St. Jude Medical cardiac devices that were found by research firm MedSec Holdings don't necessarily translate to serious clinical risks for patients, says medical device security expert Kevin Fu.
Fu and his team of researchers at the University of Michigan took a look at some of the claims made by MedSec about the security vulnerabilities that the start-up firm allegedly found in St. Jude Medical cardiac products, which included implantable pacemakers and defibrillators. St. Jude Medical has refuted the MedSec claims, which were recently disclosed in a report issued by investment firm Muddy Waters Capital.
"The jury is still out, and we need to figure out if these vulnerabilities ... lead to clinical risk," he says in an interview with Information Security Media Group.
For instance, while testing a pacemaker implicated in the MedSec report, Fu's team was able to replicate the same screenshot message that MedSec claims was the result of a vulnerability. However, a further test by the University of Michigan team showed that the pacemaker was still functioning properly despite the screenshot warning, he says.
"One thing we haven't seen any evidence of yet is whether [alleged defibrillator] shocks are disturbed by any of the claimed vulnerabilities," he adds. "Not all vulnerabilities result in a clinically relevant hazardous situation.
"It's not surprising to find vulnerabilities in medical devices. We find them all the time. What's harder is finding vulnerabilities that have a significant clinical risk."
The Muddy Waters/MedSec report raises "a lot of complicated questions" about the potential vulnerabilities as well as the unusual circumstances surrounding the report's release, Fu says. Muddy Waters Capital went public on Aug. 25 about the MedSec allegations of security flaws in certain St. Jude Medical devices without first alerting the vendor or requesting review by federal regulators.
The stock price of St. Jude Medical fell on Aug. 25 after the investment firm revealed it had placed a bet that the device maker's shares would fall, based on the allegations by MedSec. Muddying the situation even more, MedSec had also taken the unusual step of entering a financial arrangement with Muddy Waters Capital.
In the interview, Fu also discusses:
- Why it's so challenging for researchers to ultimately determine whether medical device cyber vulnerabilities present true safety concerns for patients;
- Why disclosures of medical device security vulnerabilities that are discovered by independent researchers are such a sticky subject (see What's Best Way to Handle Medical Device Security Concerns?);
- Why the CEOs of medical device manufacturers need to pledge to build security into the design of their products and provide the appropriate resources for following through on that promise.
Fu is associate professor of electrical engineering and computer science at the University of Michigan, where he directs the Archimedes Research Center for Medical Device Security. Previously, he served as an associate professor of computer science and adjunct associate professor of electrical and computer engineering at the University of Massachusetts, Amherst. Fu also has served as a visiting scientist at the Food and Drug Administration, the Beth Israel Deaconess Medical Center, Microsoft Research and Massachusetts Institute of Technology Computer Science and Artificial Intelligence Lab. He's also a co-founder, CEO and chief scientist at startup firm Virta Laboratories, a healthcare cybersecurity company.