Nevertheless, it’s no secret that many medical devices on the market have flaws, said Corman, who is also the co-founder of I Am The Cavalry, a security advocacy group. The healthcare industry has been working to reform itself after years of little regulatory guidance, he said.
But disclosing a defect in a pacemaker isn’t as simple as finding a flaw in a website. “These are flaws in a product that are being put in a human being’s chest,” Corman said. “You would need surgery to remove them.”
He’s questioning why MedSec didn’t work through U.S. regulators, including the Food and Drug Administration, to address the alleged problems. Patients and hospitals then could have been properly notified.
In its defense, MedSec claims St. Jude Medical can take certain measures to immediately minimize the security risks. It’s also said that it did inform the FDA prior to Thursday’s disclosure.
Time to worry?
It's not clear whether patients should be worried. Although MedSec is warning the public, the FDA is still investigating the issue.
“At the present time, patients should continue to use their devices as instructed and not change any implanted device,” the FDA said on Friday.
Corman also said that despite the security risks, implanted medical devices save far more lives than they jeopardize. In addition, St. Jude Medical says most of the alleged vulnerabilities are only found in older versions of a patient-monitoring product that did not receive automatic updates.
Still, the incident is forcing the security industry to take a closer look at its practices.
“Is it right to profit off what is fundamentally a safety risk?” Bugcrowd's Ellis said. He wonders if an event like this could hurt cooperation between security researchers and vendors and make their relationships more combative.
Javvad Malik, a security advocate at the security company AlienVault, said he empathized with researchers who were frustrated with the persistent vulnerabilities in medical devices.
“However, despite good intentions, this can set a worrying precedent,” he said in an email. He worries that other security researchers will prioritize making money over properly disclosing a vulnerability.
Sign up for CIO Asia eNewsletters.