September 11, 2023 How Medtronic develops safer products with DEFCON hackers

Medtronic joined thousands of the top cybersecurity minds for the 31^st annual DEFCON, the world’s largest hacker conference. As a medical device manufacturer operating within the healthcare and public health sector, being an active participant in DEFCON is one of the ways that we get to learn from the experiences of different critical infrastructure sectors, and more importantly, engage with the hacking community to build stronger partnerships.

This year, Medtronic brought two products to the Biohacking Village, a DEFCON village which focuses on cybersecurity in emerging biotechnology, healthcare delivery, medical technology and pharmaceutical manufacturing. Over the course of two days, we invited hackers to do their best to exploit our FT10 Surgical Generator and LINQ II Insertable Cardiac Monitor. Some might ask how or why we feel comfortable bringing our products into an environment where hacking is the expectation, not just the norm. The answer is two-fold.

First, we bring our products to DEFCON because the first step in fixing an issue is knowing that one exists. Within the Biohacking Village, we get to collaborate with some of the most creative hackers to understand what security concerns there are and how to do better for our future products. Like the rigorous security testing our products undergo, ethical hackers can uncover potential vulnerabilities and security flaws. But what makes those who come to the Devices Lab “ethical hackers?” They sign the Biohacking Village’s Hippocratic Oath for Hackers and come with the intent to improve the security of medical devices, which in return, helps us drive innovation in security and make products safer.

Second, the ultimate measure of success is that our product security programs are prepared to handle hackers at DEFCON finding vulnerabilities. We have Coordinated Vulnerability Disclosure processes in place to ensure that if problems are found, Medtronic will take them seriously to assess, mitigate, and disclose discovered cybersecurity risks if needed. Through collaboration, we hope to cultivate trust with the community and encourage ethical hackers and independent security researchers to come to us if there is an issue they find.

Although we’d prefer to never have a vulnerability to disclose, we recognize that the best security of today may not be the best security tomorrow. While we work to design secure devices during product development, the true measure of maturity is in how we as a company handle newfound vulnerabilities to inform stakeholders of cybersecurity risks and mitigate those risks in a clinically appropriate manner. This process should be transparent and should clearly communicate the risks to stakeholders and the information necessary to keep patients safe. We are constantly looking to improve, but you can see the results of our progress through our public security bulletins.

So, were any issues found with either of the products we brought to DEFCON? This year, more than 2,000 hackers came through the BioHacking Village Device Lab and over 100 took the challenge to try without finding any vulnerabilities with our devices. However, as we mentioned, this isn’t how we define success. Success for Medtronic was that we collectively found a shared commitment to product security through collaboration with the hacker community. Our non-security focused engineers were able to learn from watching the tools and techniques leveraged by hackers in attempts to exploit our devices whereas the hackers were able to learn more about the technologies we support and how we secure them. In turn, this collaboration enables us to ensure Medtronic’s products deliver on their mission for patients while remaining safe and secure.