St. Jude Medical, Inc. vs. Muddy Waters Consulting LLC, et. al.: Who Bears the Burden to Disclose Discovered Software Vulnerabilities in Medical Devices?

Managing medical device cybersecurity risks is an evolving area of the law and public policy. As more healthcare providers rely upon networked medical devices to provide care to patients, questions emerge about which party should bear the responsibility for providing notice when a software vulnerability is discovered in a medical device. And, when notice is provided, who has the responsibility to act and in what timeframe? When public health and safety are at stake, is the public best served by for-profit, market-based motivated businesses or the government?

Food and Drug Administration Offers Guidance In Lieu of Regulations

Currently, there is no federal regulation or law that clearly articulates who must provide notice when a software vulnerability is found in a medical device and what actions should be taken after notice is given. The Food and Drug Administration (FDA), however, has issued a series of non-binding guidance documents to help entities begin to address potential cybersecurity risks associated with medical devices.¹ Most recently, in December 2016 the FDA issued guidance noting that it is the responsibility of the manufacturer “to be active and on guard for potential vulnerabilities and emerging threats throughout the lifecycle of devices, and be prepared to devise solutions.”² Furthermore, if an outside entity, such as a researcher, discovers a vulnerability, the FDA encourages but does not require the manufacturer to “adopt a coordinated vulnerability disclosure policy and practice that includes acknowledging receipt of initial vulnerability report to the vulnerability submitter.”³ However, the FDA guidance is silent on what, if any, burden the “vulnerability submitter” has to inform the manufacturer of discovered vulnerabilities.⁴ So, while the FDA encourages manufacturers to adopt and proactively manage a cybersecurity risk management approach for medical devices (which could include software applications in some cases), the guidance is non-binding on the parties and the manufacturers are, therefore, not obligated to fix discovered vulnerabilities.

The question of who bears the burden to provide notice and respond to discovered software vulnerabilities may be explored by the U.S. District Court, District of Minnesota in a case brought by St. Jude Medical, Inc. (St. Jude Medical) against Muddy Waters Consulting, LLC (MWC), Muddy Waters Capital, LLC., a hedge fund manager, and MedSec Holdings Ltd. (MedSec), et. al. St. Jude Medical is suing the defendants for false statements, false advertising, conspiracy and manipulation of the public markets.⁵ Although the complaint does not directly address many of the questions outlined above, it is possible the court will comment on who bears the burden to identify vulnerabilities, notify and/or act on known or discovered cybersecurity risks in the judgment. The case, filed August 7, 2016, is being actively litigated and should be of interest to private and public sector entities including federal government departments/agencies, insurance companies, hospital systems, medical device manufacturers, academic researchers and patients.

Is the Federal Government or the Private Market Best Positioned to Protect Patients from Cybersecurity Vulnerabilities Found in Medical Devices?

This U.S. District Court case is significant because it is believed to be the first time a private firm - MedSec, a cyber-security research firm - leveraged discovered cybersecurity vulnerability information to gain private profits rather than inform the manufacturer per the FDA guidance governing post-market management of cybersecurity in medical devices.⁶ MedSec found vulnerabilities in several St. Jude Medical manufactured medical devices including pacemakers, implantable cardioverter defibrillators, and cardiac resynchronization therapy devices, noting that many “lacked basic encryption and authentication protections, and as a result, a hacker could impersonate any one of the devices and likely communicate with St. Jude Medical’s internal network.”⁷ MWC, an investment research firm and affiliate of Muddy Waters Capital, issued a report on August 25, 2016 that included MedSec’s research and “asserted St. Jude’s heart devices were vulnerable to cyberattack and were a risk to patients.”⁸

Rather than following the established practice of notifying the manufacturer – St. Jude Medical – of the software vulnerabilities and potential cybersecurity risks, MedSec entered into a financial agreement with Muddy Waters Capital to license MedSec’s research to Muddy Waters Capital, the hedge fund manager.⁹ Muddy Waters Capital “announced it would be heavily shorting St. Jude Medical…” because it believed that the devices are vulnerable to cyberattacks and “within 90 minutes of Muddy Water’s announcement, St. Jude Medical’s stock fell more than 8%.”¹⁰ This meant that Muddy Waters Capital and MedSec gained the more St. Jude’s Medical stock price fell on August 25th (since Muddy Waters Capital shorted the stock).¹¹

Federal Government Takes Action to Address Cybersecurity Concerns in St. Jude Medical Devices

Both the FDA and the Department of Homeland Security acted after the St. Jude Medical case came to light. On January 9, 2017 the FDA issued a Medical Device Safety Communication confirming cybersecurity vulnerabilities in St. Jude Medical implantable cardiac devices and the Merlin@home Transmitter, a remote care patient management device.¹² The FDA, acting as regulator of medical devices, issues Medical Device Safety Communications that detail FDA analysis of a current medical device-related issue that call into question patient safety, for example.¹³ The FDA communication noted that if the vulnerabilities were exploited, “an unauthorized user, i.e., someone other than the patient's physician,” could gain access to the implanted cardiac device via the Merlin@home Transmitter, causing “rapid battery depletion and/or administration of inappropriate pacing or shocks” to the patient.¹⁴¹ To address the FDA’s concerns, St. Jude Medical developed and released a software patch for the Merlin@home Transmitter on January 9, 2017.¹⁵

Also on January 9, 2017 the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an Advisory characterizing the software vulnerability as “man-in-the-middle,” meaning “identities of the endpoints for the communication channel between the transmitter and St. Jude Medical’s web site, Merlin.net, are not verified” thereby allowing “a remote attacker to access or influence communications between the identified endpoints.”¹⁶ A man-in-the-middle cyberattack allows a third party to insert himself/herself into an otherwise private conversation and “capture and manipulate sensitive information in real-time.”¹⁷

Conclusion

While the FDA and DHS communications and advisories provide additional certainty that there were software vulnerabilities in some St. Jude Medical devices, they do not clarify who has the burden to provide notice of discovered software vulnerabilities nor who must act within what timeframe to resolve these found vulnerabilities. It is quite possible, however, that the St. Jude Medical, Inc. vs. Muddy Waters Consulting LLC, et. al. case could help begin to address these questions. This is a significant case because no other federal court to date has addressed which party has the burden to provide notice of known medical device software vulnerabilities. Although the St. Jude Medical, Inc. vs. Muddy Waters Consulting LLC, et. al. complaint does not directly address these questions, it is possible the court will comment on who bears the burden to identify vulnerabilities, notify known or discovered cybersecurity risks and provide the industry with needed guidance in this area.

***

¹ The FDA offers a list of guidance documents with digital health content at https://www.fda.gov/MedicalDevices/DigitalHealth/ucm562577.htm.

² Schwartz, Suzanne B., “National Cyber Security Awareness Month: Understanding the Interdependencies of Medical Devices and Cybersecurity,” FDA Voice, October 27, 2016, https://blogs.fda.gov/fdavoice/?s=Suzanne+Schwartz&amp%3Bamp%3Bsubmit=Search.

³ Food and Drug Administration, “Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff,” December 28, 2016, https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf. The guidance references two information technology security techniques that could help manufacturers: ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure which may be a useful resource for manufacturers, and ISO/IEC 30111:2013: Information Technology – Security Techniques – Vulnerability Handling Pro.

⁴ The FDA “strongly recommended that manufacturers participate in an Information Sharing and Analysis Organization (SAO) that shares vulnerabilities and threats that impact medical devices. Sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful postmarket cybersecurity surveillance program.” See Food and Drug Administration, “Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff,” December 28, 2016, https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf.

⁵ St. Jude Medical, Inc. vs. Muddy Waters Consulting LLC, et. al., U.S. District Court, District of Minnesota (September 7, 2016) at http://668781195408a83df63a-e48385e382d2e5d17821a5e1d8e4c86b.r51.cf1.rackcdn.com/external/St-Jude-Medical-vs-Muddy-Waters-and-MedSec-complaint-9-7-16.pdf. St. Jude Medical, Inc. brought action against defendants (i) Muddy Waters
Consulting LLC and Muddy Waters Capital LLC, (ii) MedSec Holdings, Ltd. and MedSec LLC,
(iii) Carson C. Block, (iv) Justine Bone and (v) Dr. Hemal M. Nayak (collectively the “Defendants” and each a “Defendant”).

⁶ Food and Drug Administration, “Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff,” December 28, 2016, https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf.

⁷ Frances P. Forte and Todd S. McClelland, “Shorting, reporting and profiting in the era of cyber security,” Jones Day Cyber Security Practitioner, December 2016, http://www.jonesday.com/files/Publication/00ecaa51-aba9-4490-a906-44d9467d62cb/Presentation/PublicationAttachment/70562150-fd52-4a5f-a294-4662a1ffd2bb/CSP%20December%202016%20pg%204-6.pdf.

⁸ Jim Finkle and Dan Burns, “St. Jude Stock Shorted on Heart Device Hacking Fears; Shares Drop,” REUTERS, August 25, 2016, http://www.reuters.com/article/us-stjude-cyber-idUSKCN1101YV. MWC is a private, for-profit firm that issued the report in furtherance of a strategy to short St. Jude’s stock.

⁹ Chris Brook, “Justine Bone on St. Jude Vulnerabilities and Medical Device Security”, THREATPOST.COM PODCAST, January 19, 2017, https://threatpost.com/justine-bone-on-st-jude-vulnerabilities-and-medical-device-security/123172/.

¹⁰ Frances P. Forte and Todd S. McClelland, “Shorting, reporting and profiting in the era of cyber security,” Jones Day Cyber Security Practitioner, December 2016, http://www.jonesday.com/files/Publication/00ecaa51-aba9-4490-a906-44d9467d62cb/Presentation/PublicationAttachment/70562150-fd52-4a5f-a294-4662a1ffd2bb/CSP%20December%202016%20pg%204-6.pdf .

¹¹ “Short selling allows investors to profit from stocks or other securities when they go down in value. In order to do a short sale, an investor has to borrow the stock or security through their [sic] brokerage company from someone who owns it. The investor then sells the stock, retaining the cash proceeds. The short seller hopes that the price will fall over time, providing an opportunity to buy back the stock at a lower price than the original sale price. Any money left over after buying back the stock is profit to the short seller.” The Motley Fool's Knowledge Center, “What Is Short Selling?” https://www.fool.com/knowledge-center/what-is-short-selling.aspx.

¹² US Department of Health and Human Services, Food and Drug Administration, “Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication,” January 9, 2017, https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm.

¹³ FDA Medical Device Safety Communications, https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/default.htm. Note: The FDA includes pre and post-market guidance/recommendations for medical device manufacturers to implement a cybersecurity risk management approach to address potential risks throughout the lifecycle of the medical device. Specifically, “a manufacturer should establish, document, and maintain throughout the medical device lifecycle an ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling these risks, and monitoring the effectiveness of the controls. This process should include risk analysis, risk evaluation, risk control, and incorporation of production and post-production information.” See FDA “Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff,” December 28, 2016, https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf.

¹⁴ See note 12, supra.

¹⁵ “The FDA has reviewed St. Jude Medical's software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm. The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.” See U.S. Department of Health and Human Services, Food and Drug Administration, “Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication,” January 9, 2017, https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm.

¹⁶ US Department of Homeland Security, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), “Advisory (ICSMA-17-009-01A): St. Jude Merlin@home Transmitter Vulnerability (Update A),” Original release date: January 09, 2017, last revised: February 06, 2017, https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A.

¹⁷ Margaret Rouse, “man-in-the-middle attack (MitM)”, TechTarget.com, http://internetofthingsagenda.techtarget.com/definition/man-in-the-middle-attack-MitM.