September 14, 2022 Medtronic’s work towards better cybersecurity transparency

In 2022, it’s an understatement to say that computers are everywhere. Whether you’ve watched it happen, were born into this computer filled world, or have just been riding the wave of change, you’ve seen examples of well-done tech improving lives and how poorly done tech can cause problems.

Medtronic works to harness leading edge technology in our products with a clear focus on improving the lives of patients. Integrating this new technology means medical devices are increasingly computerized and connected, creating significant benefit, but also the potential for cybersecurity issues. While we work to design and build safe products, that alone isn’t enough to ensure that they’re secure from constantly changing cybersecurity threats and diverse environments they operate in. It is not only important for Medtronic to do the work of securing our products, but we also need to be transparent about our security practices so those using and receiving care from Medtronic products know they can trust them.

Medtronic has a Product Vulnerability Intelligence program to help understand and quickly respond to evolving cybersecurity threats. We leverage many sources for cybersecurity vulnerabilities, including social media sites, cybersecurity conferences, industry groups (including Information Sharing and Analysis Organizations (ISAOs)), government agencies, security researchers, our testing practices, and our own internal reporting processes, so we can uncover, assess, and respond to potential product security issues as quickly as possible.

When there are cybersecurity vulnerabilities that could impact a Medtronic product, we engage in the Coordinated Vulnerability Disclosure (CVD) process to inform patients, clinicians, caregivers, regulators, and others stakeholders about the cybersecurity issue and how we are addressing it. The CVD process helps ensure that the solution to a cybersecurity vulnerability is communicated effectively, completely, and quickly. The focal point of our CVD efforts is our Security Bulletin Webpage, where we post cybersecurity issues impacting Medtronic products and actions to resolve and mitigate those risks.

Because of the complex nature of our products, the content of a medical device cybersecurity disclosure can be full of technical and medical terms. To help make our product cybersecurity disclosures easier for everyone to understand, Medtronic contributed to and utilizes the Healthcare Sector Coordinating Council’s (HSCCs) Medtech Vulnerability Communications Toolkit. This toolkit helps shape the content so it is easier to follow and guides us to use language that people can make sense of.

Medtronic is taking actions to be part of the solution and we embrace our responsibility as a leader in the development of reliable, safe, innovative and lifesaving medical technologies. While this cybersecurity issue disclosure process may seem unusual at first for a medical device company, it is the right thing to do for patients receiving care from Medtronic devices, and it shows maturity in the medical device industry. Vulnerabilities could have a bigger impact when they are hidden away. By being open and transparent, Medtronic is working to be part of the solution and the future of healthcare.