St. Jude Medical releases security patches for its devices, but that’s not it …
St. Jude Medical released security patches for one of the medical devices it produces according to ZDNet’s article at http://www.zdnet.com/article/st-jude-releases-security-patches-for-vulnerable-cardiac-devices. Another medical device hack, yawn and boring right? Not so fast, well the security firm that found the vulnerability, MedSec, was apparently working with Muddy Waters an investment firm and there were accusations that Muddy Waters purposely used that information for financial gain.
Well one side went public with the information, and the other tried to sue etc. FDA jumps in and “vindicates” the other’s claims. Fun read, but really stresses the need for an alternative method of (1) reporting vulnerabilities responsibly and (2) getting vendors to respond and take action also responsibly. The current approach of reporting vulnerabilities and then threatening to go public with the information (which itself creates more risk than is already present) just doesn’t seem to work. No one is happy and nothing willingly gets done.
I don’t have the answer, but would be interesting to hear what other think of the current system. Enjoy the article, it’s an interesting read.