A top medical device security expert says a headline-grabbing report of alleged vulnerabilities in St. Jude Medical’s implantable heart devices was flawed and that the conclusions suggest a fundamental misunderstanding of the purported malfunction, according to the Association for the Advancement of Medical Instrumentation (AAMI).
Kevin Fu, director of the Archimedes Center for Medical Device Security and a professor at the University of Michigan in Ann Arbor, wrote in a blog post that his team was able to replicate the “scary-looking screen” that warned of a malfunction with the St. Jude Medical pacemakers—without any malfunction actually occurring. The flaw in the original report, concluded Fu, was confusing correlation and causation.
The original report by investment firm Muddy Waters and cybersecurity research firm MedSec Holdings set off a flurry of claims and counterclaims with St. Jude Medical, and also sparked a hot debate about ethics because of a significant financial conflict of interest. That conflict? MedSec publicized its findings two weeks ago while it was also in a partnership with Muddy Waters, which was basically betting on a drop in St. Jude Medical’s stock.
Fu didn’t address the ethical issues in his blog post, focusing instead on the alleged vulnerability. His team at the University of Michigan and Virta Labs sought to determine if, in fact, there was an actual vulnerability.
They did this by attempting to produce the same screen output reported by Muddy Waters. By introducing “benign electrical noise on the sense/pace port via the clipped lead,” Fu and his team were able to recreate the visual alerts, but they checked the device and found no problems in its functionality.
“This summary,” wrote Fu, “shows the screenshot is correlated with normal pacing and sensing, suggesting that the Muddy Waters report misinterprets clinical relevance of the screenshot.”
In a press release, St. Jude Medical denounced the Muddy Waters report as “irresponsible, misleading, and unnecessarily frightening,” suggesting it was driven by nothing more than a desire for money. “We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices,” says Michael T. Rousseau, president and CEO of St. Jude Medical. “This behavior speaks volumes about the profit-seeking motives and integrity of these organizations.”
For their part, Muddy Waters and MedSec have stood by the report with Muddy Waters saying in one statement that the findings “should receive serious notice among hospitals, physicians, and cardiac patients.”
Several wireless experts in the health care arena have expressed their dismay with the financial conflict of interest that Muddy Waters and MedSec Holdings had with their report.
“It seems like the cybersecurity industry is in desperate need of a code of ethics,” writes Rick Hampton, a wireless communications manager at Partners HealthCare in Boston and a member of AAMI’s Wireless Strategy Task Force, weighing in on that group’s online discussion forum.
Visit AAMI’s Web site for more information.