{
  "docId": "019dd923-622c-750b-8b96-76efb5813bae",
  "docSlug": "8ff52fe302da",
  "documentTitle": "St. Jude Medical (STJ)",
  "authorId": "51_Muddy_Waters",
  "authorName": "Carson C. Block",
  "documentKindSlug": "research-note",
  "documentKindLabel": "Research note",
  "sourceTypeSlug": "short_seller",
  "sourceTypeLabel": "Short seller",
  "presentationDate": "2016-08-25 00:00:00",
  "orientation": "portrait",
  "aspectRatio": 0.77272725,
  "pageNumber": 20,
  "pageCount": 34,
  "prevPage": 19,
  "nextPage": 21,
  "slideType": "appendix_disclosure",
  "function": "appendix",
  "density": "dense",
  "nDataPoints": 0,
  "notes": "The page is a continuation of a research note, focusing on risk assessment frameworks (CVSS 3.0 and ANSI/AAMI/ISO 14971).",
  "elementsJson": [
    "paragraph",
    "footnote"
  ],
  "metadataConfidence": 0.9,
  "imagePath": null,
  "slideHref": "/slides/019dd923-622c-750b-8b96-76efb5813bae/20",
  "deckHref": "/decks/019dd923-622c-750b-8b96-76efb5813bae",
  "deckJsonHref": "/decks/019dd923-622c-750b-8b96-76efb5813bae.json",
  "deckAnchorHref": "/decks/019dd923-622c-750b-8b96-76efb5813bae#slide-20",
  "components": [
    {
      "bbox": null,
      "kind": "callout",
      "text": "Based on the Draft Guidance and its recommended tools, we therefore assess the severity of the exploit to patient health to be “catastrophic.”",
      "attrs": null,
      "subkind": null,
      "toolName": "Visual emphasis",
      "toolSlug": "visual-emphasis",
      "confidence": null,
      "componentId": "019dd953-1ac3-70f9-8550-2314efb4754e",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.125,
        "w": 0.772,
        "x": 0.118,
        "y": 0.465
      },
      "kind": "paragraph",
      "text": "As shown supra, MedSec has demonstrated an attack that can cause a Device to pace at a potentially dangerous rhythm. MedSec has also demonstrated a battery drain attack, and certain Device dependent patients could experience severe health consequences if their Devices lost power and failed to function. Based on the Draft Guidance and its recommended tools, we therefore assess the severity of the exploit to patient health to be \"catastrophic.\" The below matrix from the Draft Guidance deems a vulnerability with high exploitability and catastrophic impact if exploited an uncontrolled risk.",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "699a19fc-01b6-467f-86ba-3c010f0368d1",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.225,
        "w": 0.772,
        "x": 0.118,
        "y": 0.215
      },
      "kind": "paragraph",
      "text": "To determine whether a risk is uncontrolled, the Draft Guidance suggests that manufacturers look to cybersecurity vulnerability assessment tools to determine exploitability. It mentions one tool that could assist, called the \"Common Vulnerability Scoring System\", version 3.0. Based on our inputs to the CVSS 3.0 model, the exploitability of the vulnerabilities for the Devices ranges from \"High\" to \"Critical\". Further, FDA's Draft Guidance indicates that manufacturers \"should also have a process for assessing the severity impact to health, if the cybersecurity vulnerability were to be exploited.\" The Draft Guidance suggests one for such assessment to be the ANSI/AAMI/ISO 14971: 2007/R2010: Medical Devices – Application of Risk Management to Medical Devices. Pursuant to this tool, a common term for assessing a qualitative severity level resulting in patient death would be \"catastrophic\" while, on the lower end of the severity spectrum, a common term for a severity level resulting in inconvenience or temporary discomfort would be \"negligible.\"",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "89b824de-50fb-4bbf-95e5-9e11c0801f12",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.035,
        "w": 0.772,
        "x": 0.118,
        "y": 0.145
      },
      "kind": "paragraph",
      "text": "In terms of understanding the probability of an attack taking place, University of Michigan medical device cybersecurity research Kevin Fu pointed out that the malicious third party controls the probability distribution of an attack.",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "e3bbb3bf-705e-4f00-82a3-38ec84a69074",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.035,
        "w": 0.772,
        "x": 0.118,
        "y": 0.093
      },
      "kind": "paragraph",
      "text": "then manufacturers should remediate it. Based on our conversations with industry experts, we estimate this remediation would take at least two years.",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "f81e17a8-2168-4e6c-af82-82881b16cade",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": null,
      "kind": "quote",
      "text": "University of Michigan medical device cybersecurity research Kevin Fu pointed out that the malicious third party controls the probability distribution of an attack.",
      "attrs": null,
      "subkind": null,
      "toolName": "Authority citation",
      "toolSlug": "authority-citation",
      "confidence": null,
      "componentId": "019dd953-1ac3-70f9-8550-25af76d5ad5a",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.125,
        "w": 0.772,
        "x": 0.118,
        "y": 0.805
      },
      "kind": "source-note",
      "text": "34-42: Citations and references to Draft Guidance, YouTube, and ISO standards.",
      "attrs": null,
      "subkind": null,
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "b2320618-d73a-492d-b7fb-aa346d6df3b9",
      "frameworkName": null,
      "frameworkSlug": null
    }
  ],
  "metrics": [],
  "tools": [],
  "frameworks": [
    {
      "name": "ANSI/AAMI/ISO 14971",
      "slug": null,
      "matchId": "91a43238-ce91-48a4-b625-674490e8db56",
      "evidence": "Medical Devices – Application of Risk Management to Medical Devices",
      "confidence": 1
    },
    {
      "name": "CVSS 3.0",
      "slug": null,
      "matchId": "cbcfbfe8-de0a-4118-ab5e-cacda4780edd",
      "evidence": "Common Vulnerability Scoring System",
      "confidence": 1
    }
  ],
  "arcBeats": [
    {
      "to": 22,
      "from": 18,
      "beatId": "f0d4f08b-4c30-4578-a808-4dc45468a7de",
      "arcName": "Problem-Agitate-Solution",
      "arcSlug": "problem-agitate-solution",
      "beatName": "Solution (Provide relief)",
      "beatSlug": "problem-agitate-solution-solution-provide-relief",
      "evidence": "The document provides a solution through regulatory action and recall likelihood analysis",
      "position": 2,
      "confidence": 0.8,
      "parentBeatName": "Resolution",
      "parentBeatSlug": "resolution"
    }
  ],
  "loops": [],
  "imagePathAlt": null,
  "thumbSrc": null,
  "thumbSrcAlt": null,
  "locked": true
}