Hold on to your pacemaker. Latest news is they can be hacked. Worse news is that people are making stock bets on that vulnerability. Normally, security companies wouldn’t explore medical devices as an avenue for hacking. One supposes decoding their encryption wouldn’t take hackers very far. No social security numbers or bank account information. At best, a person could make your heart skip a beat, right?
Wrong. Information can be gleaned from reaching into “unsecured radiology equipment, blood-gas analyzers and other machines inside hospitals and nursing homes. Once hackers are into your medical records, they can go almost anywhere.” (“How Hackers used Pacemaker Vulnerabilities to Play the Market,” by Jordan Robertson and Michael Riley, Bloomberg Businessweek, 9/5-9, 2016 pgs. 29-30.)
Normally, cyber security firms focus on large corporations. They make money by looking for bugs in the company’s security systems and accept a “bug” bounty for their discoveries. Or, they “sell the information in the gray market to intelligence agencies and cyber weapons dealers where good attack codes can fetch hundreds of thousands of dollars.” (Ibid pg. 29.) Making money off a pacemaker wasn’t intuitively obvious, until MedSec, a cyber security firm came up with a bright idea They contacted an investment firm, Muddy Waters, and shorted the stock of St. Jude Medical, a publicly traded company that sells pacemakers. When news of the defect got out, MedSec made a fortune on their investment. What’s more, MedSec had created a third pathway to make money from their bug discoveries.
MedSec creativity has opened a legal can of worms and we will probably see Congress churn out reams of regulation once it catches up with this latest twist from the cyber world.
The company insists its motives are pure. The goal was to force St. Jude to make necessary code changes to its pacemaker. Without financial exposure, they say St. Jude seemed reluctant to move. But as Jacob Olcott, member of a cybe rsecurity rating firm, points out, whatever MedSec’s rationale, “If security researchers think they have to work with a short seller to address the security posture of a major company, something is wrong.” (Ibid, pg. 30)