Medical Device Penetration Testing

Penetration testing is considered a best practice for software-based devices that manage sensitive data or provide diagnostics or therapies for patients. Drawn from practices used in the broader information security industry, there is a need to clearly define its use in regulated medical devices.

The UK National Cyber Security Centre defines penetration testing as: “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might. ” https://www.ncsc.gov.uk/guidance/penetration-testing

Providing information on how these practices should be applied to medical device is the purpose of this project.

Medical Device Penetration Testing Workgroup:

MDIC has established a medical device penetration workgroup, that will examine best practices and make recommendations on how this technique best fits in a regulated medical device environment.

Working Group Members Include:

Chris Reed, Medtronic –Project Lead

Blake Francis, J&J

Tom Jackson, Alcon

Dirk de Wit, Philips

Jason Herbst, Medtronic

Peter Kapelanski, Medtronic

Inhel Rekik, Bracco

Curtis Blythe, Abbott

Matt Hazelett, FDA

David Hingos, J&J

Terrance Head, BD

Sanket Kamath, Boston Scientific

Michelle Jump, MedSec

Proposed Deliverables:

Coordinated by MDIC, the workgroup will develop a white paper on key elements of the application of penetration testing to medical devices.  Examples of topics to be considered:

Relationship of penetration testing to software and device validation activities.
When do tools used in penetration need to be validated.
What are best practices for pen testing, including when and how often it should be performed?
How can penetration testers be driven by threat scenarios?
How should the results from a penetration test be treated for device correction and improvement?

Stakeholders for this workgroup include:

FDA
Medical device manufactures
Medical device industry groups
Academic research groups

If you would like to join this collaborative effort, please contact MDIC program director Jithesh Veetil, jveetil@mdic.org

Have Questions? Contact a Member of the Penetration Testing Team!

Jithesh Veetil, PhD

Senior Program Director - Digital Health & Technology

Email: jveetil@mdic.org

Noor Falah

Project Manager - Digital Health & Technology

Email: nfalah@mdic.org

Current as of February 21, 2023