August 7, 2024 Q&A with Medtronic’s product security leader

Nancy Brainerd, senior director of the Product Security Office (PSO)

Earlier this year, Medtronic named Nancy Brainerd senior director of the Product Security Office (PSO) at Medtronic. In her new role leading the PSO team, she oversees the cybersecurity of Medtronic devices and products, ensuring the company engineers products to be resilient in the worst real-world conditions.

Nancy was most recently Medtronic’s Deputy Chief Information Security Officer (CISO) for the Global Security Office, where she was responsible for cybersecurity incident response, attack surface reduction, and security tooling and engineering. Throughout her 20-year career, she has continually worked to support the Medtronic Women’s Network employee resource group though active engagement and even co-chairing the Women in IT (WIIT) hub in the last fiscal year.

Nancy also serves as a director on the Board of Health-ISAC (Health Information Sharing and Analysis Center), a trusted community of healthcare stakeholders that collaborate on cybersecurity threats and best practices. She continues to share her wealth of knowledge by frequently guest lecturing at the University of Minnesota, where she highlights her insights and cybersecurity expertise with undergraduate students.

Below, Nancy shares her thoughts on the current state of security and how Medtronic is building a strong security culture.

What are some of the top security challenges facing healthcare?

Cybersecurity is not only an IT issue but a patient safety imperative. As the healthcare sector continues to struggle with managing cybersecurity risk, regulators and customers alike have made it clear that the bar for medical devices needs to be raised.

Therapy innovation, including AI, is driving increased connectivity, data use, and ecosystem complexity to improve patient care. However, with this, the difficulty of managing cybersecurity risk grows and in the current landscape, threats are evolving quicker than medical device lifecycles have been able to keep pace with.

It will take all of us working together to protect this increasingly connected healthcare ecosystem. Furthermore, we need to continue developing our own fierce security community that aims increase the product security IQ across the organization because as NIST emphasized, “Cybersecurity is Everyone’s Job.”¹

What are your top priorities in your first year leading the PSO?

Our top priority is patient safety. To achieve that, we are building a high performing and engaged product security team that is focused on three strategic pillars:

Security by Design – Products should be engineered to be resilient against evolving threats to extend life, alleviate pain, and restore health throughout their total product lifecycle.

Vulnerability Vigilance – As the threat landscape continues to change, we need to continue to adapt, respond, and pro-actively ensure that our products are secure.

Trust through Transparency – Engaging with our stakeholders is critically important and we must continue to foster strong partnerships to build a strong healthcare security culture. Our Coordinated Vulnerability Disclosure (CVD) procedure is one example of the ways we engage with security researchers and inform stakeholders on potential serious security risks and effective recommended mitigations.

“Cybersecurity Is Everyone’s Job.” NIST, October 22, 2018. https://www.nist.gov/news-events/news/2018/10/cybersecurity-everyones-job.