Medical device and MedTech insights, news, tips and more
St. Jude’s Cardiac Implant Flaw Patched
January 16, 2017
S4x17 CONFERENCE – Miami, Fla. – After more than four months of fallout over a controversial vulnerability disclosure by security firm MedSec on flaws it found in St. Jude Medical’s cardiac implant products, the medical device vendor this week issued a security patch and the US Federal Drug Administration (FDA) published an alert that confirms vulnerabilities in the implant devices.
Healthcare security product and services firm MedSec has been in the hot seat since it licensed its vulnerability research of St. Jude Medical’s cardiac implant devices to a financial trading firm that used the information to short-sell the stock of the medical device manufacturer – a move the firm says was meant to put pressure on St. Jude to fix the vulnerabilities. The short-sell tack raised eyebrows as an unorthodox way for MedSec to make money off its research, but MedSec contends that researchers are usually compensated for their work.
St. Jude Medical, which was acquired by Abbott Laboratories this month for $25 billion, in September filed a lawsuit against MedSec and Muddy Waters, claiming that they engaged in a “willful and malicious scheme to manipulate the securities markets for their own financial windfall.”
In an interview here today with Dark Reading, Justine Bone, CEO of MedSec, says while her firm welcomes the security patch issued by St. Jude, the update doesn’t address the full suite of flaws unearthed by her firm, and she expects more security updates to come from the manufacturer. “They’ve still got these underlying problems with a lack of authentication in the RF protocol that allows [potentially rogue] commands,” for example, she says. That could allow an attacker to issue commands to the patient’s implant to remotely shock it, or disable or drain its battery, she says.
Read More – Source: Cardiac Implant Flaw Patched, But Holes Remain
Kelly Jackson Higgins is Executive Editor at DarkReading.com.