Medical Device Penetration Testing for Cardiac Rhythm Management
Penetration testing for pacemakers, ICDs, CRT-Ds, leadless pacers, ILRs, in-clinic programmers, and home monitors. Conexus / CareLink / Merlin@home reference patterns.
Last reviewed March 2026 · Reviewed against the FDA Feb 3, 2026 final premarket cybersecurity guidance.
Cardiac Rhythm Management is the device class with the most extensive public cybersecurity history in MedTech, and reviewers test submissions against named incidents. A CRM pen test that doesn't explicitly exercise the Conexus telemetry pattern (ICSMA-19-080-01, CVE-2019-6538/6540), the CareLink 2090 programmer update path (ICSMA-18-128-01), and the Merlin@home backhaul (FDA Safety Communication, Jan 2017) leaves obvious gaps that any FDA cyber reviewer will flag.
We test CRM systems as one connected system, not as an implant plus accessories. On the implant link we characterize the telemetry protocol (inductive, MICS-band, or BLE) with SDR-based tooling, then exercise mutual authentication, session establishment, replay, downgrade, pairing-mode abuse, and parameter-write authorization on staging hardware. On the in-clinic programmer we test it as a full networked computing system: OS hardening, signed software updates, maintenance/service interfaces, USB/serial ports, session and audit controls. On the home transmitter we test cellular and Wi-Fi configuration, certificate pinning, secure boot, anti-rollback, and the cloud APIs it calls - and we treat the cellular fleet-management plane as a high-impact multi-patient surface, because a compromise there has the largest documented blast radius in CRM. Findings are mapped to the IEC 14971 risk file, AAMI SW96 controls, and the FDA's 2026 premarket cybersecurity guidance so your regulatory team can defend them in submission.
Medical Device Penetration Testing engagement, end to end
Four phases, fixed fee, scoped to cardiac rhythm management architecture from kickoff onward.
-
01
Scope + kickoff
Architecture review, attack-surface walkthrough, and threat-model alignment with your team. Written scope in 24 hours.
-
02
Threat-model alignment
Every STRIDE entry in your threat model is matched to a planned test case so reviewers see one-to-one coverage.
-
03
Test execution
Device, cloud, mobile, BLE/RF, and OTA channels exercised in parallel by senior engineers - not a single web-app scan.
-
04
Reviewer-ready report + retest
eSTAR-format report with findings, CVSS, remediation, and unlimited retests until every finding is closed.
What we see in Cardiac Rhythm Management medical device penetration testing
The patterns we hit in this segment, this service, again and again.
-
Implant telemetry lacks authentication or integrity (Conexus-class)
Wireless interrogation accepts read/write commands without mutual authentication or replay protection. We've demonstrated parameter reads on staging hardware in under a session - the exact root-cause pattern of ICSMA-19-080-01.
-
Programmer software update over an unauthenticated network path (CareLink 2090-class)
In-clinic programmer fetches software updates over a deployment network without certificate validation or signed-package verification - same root cause as ICSMA-18-128-01.
-
Home transmitter accepts firmware without anti-rollback
Home-monitor accepts validly-signed but older firmware images, enabling a downgrade to a known-vulnerable build. Signed but not anti-rollback is the single most common CRM finding.
-
Cellular fleet-management plane has multi-tenant authorization gaps
API endpoints intended for one device's management accept tokens from another - BOLA at fleet scale. The blast radius here is every paired patient device, not one.
-
Clinician portal account takeover via account-recovery flow
Recovery flow returns deterministic tokens or allows email change without re-authentication - account takeover exposes longitudinal arrhythmia telemetry across many patients.
-
URGENT/11 exposure undisclosed
Programmer or home-monitor includes a VxWorks IPnet stack version covered by URGENT/11 (CISA ICSMA-19-274-01) without a documented exposure analysis. Reviewers ask for the disclosure explicitly.
"Blue Goat Cyber helped us navigate our first end-to-end cybersecurity testing for our wearable medical device. Their communication was excellent, their timeline exceeded expectations, and their report helped us achieve FDA clearance without any additional questions. It was a truly seamless experience."
Standard Medical Device Penetration Testing deliverables
The same deliverables the parent Medical Device Penetration Testing service ships with - tuned to your cardiac rhythm management architecture.
- Device, firmware, and embedded testing - hardware teardown, JTAG/UART/SPI bus access, firmware extraction and reverse engineering, and exploitation of the secure boot, debug, and update paths. Done by operators who have tested infusion pumps, monitors, surgical robots, and implantables.
- Companion app and cloud API coverage - iOS/Android binary analysis, BLE pairing/GATT attacks, REST/MQTT/gRPC fuzzing, authentication and authorization testing, and tenant-isolation checks. We test the device as patients and clinicians actually use it, not in isolation.
- FDA-ready penetration test reports - executive summary, methodology, CVSS-scored findings tied to your threat model, reproduction steps, and a Letter of Attestation formatted to the FDA's 2026 premarket guidance. Reviewer-ready, not a generic IT security PDF.
- Remediation guidance and re-test included - written fix recommendations per finding, engineer-to-engineer support during remediation, and unlimited re-tests of fixed issues inside the fixed fee. You leave with a clean report, not a list of open items.
What lands in your eSTAR submission
Reviewer-format documents ready to drop straight into the cybersecurity attachments of your submission - no reformatting on your side.
- Device, firmware, and embedded testing - hardware teardown, JTAG/UART/SPI bus access, firmware extraction and reverse engineering, and exploitation of the secure boot, debug, and update paths. Done by operators who have tested infusion pumps, monitors, surgical robots, and implantables.
- Companion app and cloud API coverage - iOS/Android binary analysis, BLE pairing/GATT attacks, REST/MQTT/gRPC fuzzing, authentication and authorization testing, and tenant-isolation checks. We test the device as patients and clinicians actually use it, not in isolation.
- FDA-ready penetration test reports - executive summary, methodology, CVSS-scored findings tied to your threat model, reproduction steps, and a Letter of Attestation formatted to the FDA's 2026 premarket guidance. Reviewer-ready, not a generic IT security PDF.
- Remediation guidance and re-test included - written fix recommendations per finding, engineer-to-engineer support during remediation, and unlimited re-tests of fixed issues inside the fixed fee. You leave with a clean report, not a list of open items.
Standards that apply
The Cardiac Rhythm Management baseline, plus the call-outs that matter for medical device penetration testing in this segment.
Segment-specific call-outs
AAMI TIR57 + AAMI SW96
Findings must trace to specific hazard entries in the IEC 14971 risk file with SW96 controls applied - 'IT bug' framing fails CRM reviews.
ISO 14708-2 / 14708-6 + IEC 60601-2-31
Cyber findings that affect pacing, defibrillation, or CRT delivery must be analyzed against the essential performance requirements for active cardiac implants, not just as software defects.
What's not in scope
We scope tightly on purpose. These items are either out-of-scope by design or belong in a separate engagement - we'll tell you up front, not after kickoff.
- Hospital enterprise IT network penetration testing
- Clinical efficacy or human-factors validation
- Physical security of manufacturing sites
- Source-code review (unless explicitly added as a separate engagement)
Go deeper on Cardiac Rhythm Management and premarket
A practical, ungated buyer's guide for medical device manufacturers evaluating cybersecurity partners, what goes wrong, why it costs you, and what to demand from your next engagement. Aligned to the FDA February 2026 premarket guidance.
The most common high- and critical-severity findings we surface in medical device penetration tests, what each one looks like in the field, and how to fix it before your FDA submission.
A practical, ungated guide to the threat modeling gaps that trigger FDA cybersecurity questions in 510(k), De Novo, and PMA submissions - and exactly how to close them before reviewers find them.
What happens if you fail an FDA cybersecurity inspection: the 483-to-consent-decree enforcement ladder and the commercial fallout for device makers.
FDA Section 524B applies to any new premarket submission for a cyber device, including legacy platforms. What attaches, what postmarket rules cover the rest.
SPDF vs SSDLC for medical devices. Why the FDA's Secure Product Development Framework demands more than a standard Secure SDLC, and what to add.
Other engagements for Cardiac Rhythm Management
Teams in this segment commonly bundle these alongside medical device penetration testing.
Keep going
Scope a Medical Device Penetration Testing engagement for your cardiac rhythm management program.
A 30-minute call with a senior engineer who has done this in cardiac rhythm management before - not a sales rep.