April 4, 2023 A behind-the-scenes look at how Medtronic tests for product security

Medtronic uses leading edge technology in our products to help patients live longer and healthier lives. However, like with any technology, there is potential for cybersecurity risks. At Medtronic, our top priority is the safety of patients, so we incorporate cybersecurity activities throughout the product lifecycle to protect against these risks.

We do this by embedding testing into our design and manufacturing process. One type of testing we do is called penetration testing. Penetration testing of medical devices is a requirement for premarket regulatory clearance in many geographies. At Medtronic, we conduct penetration testing on both pre-market and released products. By proactively identifying security vulnerabilities, we can work to remediate them before malicious attackers can find and exploit them.

How it works

product testers at a table

In a penetration test, authorized testers attempt to defeat the security controls in the device’s system to compromise sensitive information or affect the proper functioning of the device and its processes. Penetration testing uses the same tools that potential attackers would employ. This testing serves as a final check of the device's overall ability to withstand an attack. A penetration test may be conducted as either an open-box test, where the tester has full access to the device’s source code, design documents, and manuals. Or, it may be conducted as a closed box test, where the tester mimics an attacker with access only to the device and publicly available information about it.

Medtronic’s Product Security Office has a team of engineers who specialize in penetration testing. The centralized penetration testing team conducts regular training on the latest attacker tools and techniques. Medtronic also works with third-party penetration testing vendors to leverage additional industry expertise to improve the security of our products.

The findings from a penetration test are then fed back to Medtronic’s design engineers who use the information to improve the cybersecurity controls in the device, either before it is released or in a future software update or patch.

Industry perspective

New vulnerabilities in software components are constantly discovered and attacker techniques constantly improve. That’s why Medtronic’s Product Security Office is moving to require periodic retesting of released devices to ensure security controls remain effective against the latest techniques.

The medical device industry, regulators, hospitals, patients, and other stakeholders are paying increased attention to the cybersecurity of medical devices. Software used in medical devices are potential targets of cyberattacks, and we anticipate those risks to increase and evolve over time. Penetration testing is among one of our most important tools to detect and protect against potential cyberattacks.