If you don’t think IoT security is a serious topic, just ask St. Jude Medical Inc. Their stock dropped after a hedge fund, Muddy Waters, shorted a large quantity of the stock after disclosing vulnerable connected medical devices, including pacemakers and implantable defibrillators (ICD) made by the company.
There’s a lot to talk about with this particular piece of news: medical device hacking, questions of disclosure, the suggestion that “none of their competitors are anywhere close to this bad,” and others. Also, as Politico pointed out: “St. Jude Medical's stock ended the day around $78, a loss of five percent on the day, after what seems to have been the first activist investor attack over cyber concerns.”
The allegation seems to have already had some pretty serious implications for the company, and there’s no telling what will happen if the claims prove to be true. With these connected devices representing half of St. Jude’s revenue stream, any recall or vulnerabilities could even put the sale of St. Jude to Abbott Laboratories at risk. Device manufacturers take heed - the financial implications of cybersecurity negligence is real.
This is certainly not the first (or last) medical device vulnerability that has been discussed. From the original insulin pump and pacemaker vulnerabilities to the potential for brain implants, the field has proven to be too important for security pros to ignore. As the benefits, and profits, of connected medical devices have become clearer, the risks are often overlooked and it’s unclear how many wirelessly-connected medical devices have vulnerabilities. MedSec seems to think so as well, as the company’s career page is currently focused on looking for “individuals with RF experience.”
On the questions of disclosure I’ll keep it short: disclosure through profit-seeking hedge funds is definitely different but introduces a new type of moral hazard. There’s also the question of whether St. Jude is the exception, or the norm for security standards- as Josh Corman pointed out for Reuters. He “was surprised St. Jude had been singled out...[he] was aware of other non-public research showing other device makers have cyber vulnerabilities.”
This incident marks the first time the security of an IoT device has had such a direct impact on a company’s financials, but we certainly don’t think it will be the last.
Some articles for more information: