top of page

Penetration Testing of Your Medical Device

What is a Medical Device Penetration Test?

Penetration Testing is focused on deliberately probing and exploiting the vulnerabilities of medical devices to assess their resistance to potential security breaches. The intent of penetration testing is to find unknown security vulnerabilities or architectural concerns rather than confirm that implementation matches design.

It is a systematic process of evaluating the security of a medical device by simulating cyber attacks. The goal is to identify vulnerabilities and weaknesses that could be exploited by malicious attackers.

From a medical device perspective, penetration testing and its complete findings are now expected by the US FDA as part of a manufacturer’s premarket regulatory submission.

What is included in a Penetration Test?

By definition, penetration test coverage is variable and incomplete. Mirroring the real world, where a potential threat actor has a specific set of skills, so do penetration testers. While they have a broad set of capabilities, every tester will have their own specialties. This is important for two reasons: you want to match the capabilities of the tester to your focus area as well as mix up scope and testing capabilities over time to minimize blind spots.

The scope of a medical device penetration test depends on the specific goals of the test, but generally, it aims to evaluate all potential areas of vulnerability in a medical device. As part of identifying your penetration tester, you want to match their capabilities to your focus areas of testing. Focus areas could include:

  1. Device Hardware: This includes the physical components of the device. The tester might try to gain physical access to the device or interfere with its physical security measures. Device hardware testing requires the tester to be familiar with embedded CPU architectures, flash memory, various serial, parallel interfaces etc.

  2. Device Software: This includes the firmware and any other software that is running on the device. Testers will look for software vulnerabilities, insecure coding practices, outdated software versions, etc.

  3. Communication Protocols: Many medical devices communicate with other systems, such as a central monitoring system or an electronic health record system. These communication protocols can be a point of vulnerability.

  4. Network Interfaces: Devices can be vulnerable to attacks over the network, particularly if they are connected to the internet. Testers will evaluate the security of these network interfaces.

  5. Data Storage and Transmission: Medical devices often store and transmit sensitive health data. Testers will evaluate the security of data at rest and in transit.

  6. User Interfaces: Many devices have user interfaces, like web interfaces or physical input devices. These can be targets for attacks like cross-site scripting or even physical tampering.

  7. Device Configuration: This includes the default configuration of the device, including any default usernames and passwords, as well as how the device can be configured by the user.

  8. Third-Party Components: Medical devices often rely on third-party software, operating systems, or components. These can introduce vulnerabilities if they are not properly secured.

  9. Wireless Connectivity: Many medical devices have wireless capabilities like Bluetooth, Wi-Fi, or even cellular connectivity. These interfaces can be a point of vulnerability.

  10. Authentication and Authorization Mechanisms: Testers will try to bypass or misuse authentication and authorization mechanisms to gain unauthorized access.

What is the process once the tester is identified?

Once a tester has been identified, you will need to work with them to confirm the scope and engagement assumptions for the test, essentially what is “in” and “out” of scope for them to test. This is especially important for network connected devices which may connect to a back-end infrastructure for software updates or other tasks. Well defined assumptions will focus efforts on your desired target and prevent a tester from probing into systems that should not be included in scope.

Finally, a penetration test report is released to you. You do not pass or fail the test. The testing report provides a comprehensive overview of the test's findings. It's meant to offer insights on the vulnerabilities identified, the risks they pose, the actions required to mitigate those risks, and suggestions for improving the overall security posture.


Penetration testing is a critical part of a healthy product security program and is increasingly a key requirement for regulatory compliance. Keep in mind that penetration testing is only part of a broader security strategy that also includes security by design, continuous monitoring, threat intelligence, incident response, and user training. The ultimate goal is to protect patient safety and privacy by ensuring that medical devices are resilient against potential cyber threats.



bottom of page