What is penetration testing for medical devices?

Penetration testing is the simulated hacking of a medical device by ethical security researchers to discover vulnerabilities. The goal is to identify and report security flaws to manufacturers so they can be fixed before a device is deployed, thus preventing malicious exploitation.

How does medical device penetration testing differ from standard cybersecurity testing?

Medical device penetration testing uniquely combines cybersecurity with patient safety. While traditional cybersecurity focuses on the CIA triad (confidentiality, integrity, availability) of data, medical device testing adds 'safety' as a paramount concern, as vulnerabilities can directly impact patient well-being and even lead to death.

What kind of vulnerabilities are commonly found in medical devices?

Common vulnerabilities include hardcoded passwords, insecure default configurations, firmware flaws, and issues originating from the supply chain. These can range from minor security recommendations to critical flaws that pose direct patient risks.

Top 10 Medical Device Vulnerabilities with Myles Kellerman

By Christian Espinosa, MBA, CISSP

Founder & CEO · Blue Goat Cyber

Listen now

Key takeaways

Penetration testing simulates malicious attacks on medical devices to identify and remediate vulnerabilities before products reach the market.
The core goal of medical device penetration testing is to enhance patient safety by proactively addressing security flaws.
Unlike traditional cybersecurity that prioritizes data confidentiality, integrity, and availability (CIA triad), medical device security adds safety as a critical, unique concern.
Vulnerabilities can exist across the entire supply chain, down to the source code, making comprehensive testing essential.
Even seemingly minor vulnerabilities, like hardcoded 'admin' passwords, can pose significant risks in production medical devices.
The FDA requires robust cybersecurity measures, including penetration testing, to ensure the safety and effectiveness of medical devices.

How safe are the medical devices I rely on, and what are the biggest cybersecurity risks I should know about?

In this episode, the team goes behind the scenes of real-world medical device penetration testing to reveal the 10 most common and dangerous cybersecurity vulnerabilities found in medical devices. The discussion covers practical examples, industry standards, and actionable advice for manufacturers and healthcare organizations.

Key points:

(0:00) Introduction & Penetration Testing Context

(1:29) Why Penetration Testing Matters in MedTech

(5:50) Top 10 Medical Device Vulnerabilities:

Hardcoded/Default Credentials - Default passwords, BIOS passwords, and supply chain issues.
Unsecured Communication Channels - Lack of encryption, outdated standards, key management, and device constraints.
Outdated/Vulnerable Third-Party Components - Software Bill of Materials (SBOM), continuous monitoring, and post-market risks.
Improper Access Control - Weak authentication, privilege escalation, and user data exposure.
Debug Interfaces Left Enabled - JTAG/UART ports, physical access, and mitigation strategies.
Missing/Weak Firmware Integrity Checks - Secure boot, code signing, and white-box testing.
Poor Session Management - Session timeouts and session hijacking.
Fuzzing Vulnerabilities (Buffer Overflows) - Fuzz testing, buffer overflows, and legacy devices.
Lack of Tamper Detection - Audit trails, tamper-evident stickers, and physical controls.
No Rate Limiting/Automation Controls - Brute-force attacks, automation, and rate limiting.

(37:26) Secure Product Development Frameworks, and DevSecOps.

(38:04) Regulatory Perspective.

Notable quotes

“Penetration testing is, in its essence, trying to simulate what a bad hacker is doing before they can do it. If a good guy hacks into a device, they responsibly and ethically tell the manufacturer of the device how they did it so that they can go and fix these problems before it's in the market. It's going to lead to a safer product as opposed to waiting for someone with maybe more malicious intentions to find these vulnerabilities first.”

- Trevor Slattery

“It's really about patient safety. If somebody hacks into a defibrillator and shocks you to death, it's a little bit more severe than your credit card information being stolen. You can recover from your credit card information being stolen, but you can't recover if you die from being shocked to death, obviously. So, the risk is much greater. Getting shocked to death is pretty permanent.”

- Christian Espinosa

“There's always usually something there, an area of concern or at the minimum, a security recommendation to strengthen the cybersecurity controls of that medical device.”

- Myles Kellerman

Frequently asked questions

Bring this work to your device

Need help with fda postmarket cybersecurity?

Blue Goat Cyber delivers fda postmarket cybersecurity services for medical device manufacturers - from threat modeling to FDA-ready reports.

FDA Postmarket Cybersecurity Services

Top 10 Medical Device Vulnerabilities with Myles Kellerman

Key takeaways

Notable quotes

Read the conversation

Frequently asked questions

Need help with fda postmarket cybersecurity?

Medical Device Cyber Failures Become Fatal

How Cybersecurity Shapes Regulatory and Quality Success with Jim Goodmiller

Cyber Risk Management for MedTech Legacy Devices

Medical Device Startups and Cybersecurity Challenges with Suzy Engwall

Get FDA cleared without the cybersecurity headaches.

Top 10 Medical Device Vulnerabilities with Myles Kellerman

Key takeaways

Notable quotes

Read the conversation

Frequently asked questions

Need help with fda postmarket cybersecurity?

Keep listening

Medical Device Cyber Failures Become Fatal

How Cybersecurity Shapes Regulatory and Quality Success with Jim Goodmiller

Cyber Risk Management for MedTech Legacy Devices

Medical Device Startups and Cybersecurity Challenges with Suzy Engwall

Get FDA cleared without the cybersecurity headaches.