When it comes to security in the health care sector, a cyberthreat with a bark that’s bigger than its bite can still cause serious problems for an organization. Even a theoretical exploit can send a health care organization spiraling into a whirlpool of unwanted publicity.
This is the first lesson about security derived from the recent clash between St. Jude Medical Inc – developer of innovative medical technology – and investment firm Muddy Waters Capital.
“St. Jude’s share ended up declining by 4.4%.”
According to Bloomberg, it all started with a startup. MedSec is a group of white-hat hackers (or depending on who you ask, gray-hat hackers) that, in August, discovered security vulnerabilities in St. Jude’s pacemakers and defibrillators that “could put lives at risk.” Rather than going immediately to health equipment manufacturer, MedSec took this information to Muddy Waters and proposed a wager.
The investment firm would take a short position against St. Jude based on the information, meaning it would bet against the company’s stock. The terms of the deal were simple: If shares fell, the fee owed to the hackers for their information would increase – a win for both parties, but not for St. Jude’s.
The medical technology developer’s share ended up declining by 4.4 percent. The day after Bloomberg released its report, St. Jude issued a statement, calling MedSec’s research “false and misleading.” For instance, MedSec had claimed that the battery of the devices in question could be drained at a 50-foot range. However, St. Jude noted in its release that once a pacemaker device is implanted into a patient, wireless communication is limited to a 7-foot range.
Despite its counter, that same day, the U.S. Food and Drug Administration began working with the Department of Homeland Security on an official investigation.
Lesson no. 2: Nurture your security posture
In the most recent update of this story, St. Jude filed suit against Muddy Waters and MedSec for deliberately disseminating false and misleading information as a way to profit from the lowering of St. Jude’s share value. The outcome won’t be determined for some time, but as of this writing, St. Jude has garnered a significant amount of unwanted attention, and in some ways, has had its name dragged through the mud.
That brings us to the second lesson of this debacle for health care organizations, which is to always nurture your security posture. This doesn’t just mean being HIPAA-compliant, deploying firewalls and encrypting data. Having a strong security posture requires a holistic, 360-degree view of technical and non-technical aspects of your organization’s cybersecurity infrastructure. It means identifying all of your institution’s sources of risk, addressing them, documenting these efforts and having an incident response plan in place should these efforts fail.
In a way, St. Jude’s security posture is being tested at the moment. Only time will tell whether or not it passes.