Sep 26, 2024

When health tech meets ethical hacking

Find out how partnering with hackers enhances patient safety

Sometimes putting patients first means partnering with hackers.  

That’s right: hackers

Picture of DEFCON attendee with “Operation” game aligned right
DEFCON attendee demoing Hugo™

“As someone who began my journey in computers and engineering as a teenage hacker, being at DEFCON truly feels like coming back to my roots — I feel like I am with my people," shared Dustin Eastman, Director of Product Security, Surgical Operating Unit. "Engaging with hackers helps us better understand how they think and operate, and it builds valuable relationships that are essential for strengthening our security practices. These connections foster collaboration and are key to developing more resilient devices in the future.” 

Can’t hack this 

Last month, Medtronic attended DEFCON and invited attendees to take a swing at hacking into two Medtronic devices that aren’t yet sold in the U.S.: Our HugoTM Robotic-Assisted Surgery (RAS) system and the next generation of our automated insulin delivery system. 

“We had been planning how to get Hugo to DEFCON since we took the ValleylabTM FT10 energy platform there last year," said Dustin. "I saw it as a crucial opportunity to challenge our security measures and engage openly with the cybersecurity community.” 

Of the 10 medical device companies attending DEFCON, hackers discovered 42 unique vulnerabilities. None of them were found in Medtronic devices. But that doesn't mean we walked away empty-handed.  

Picture of group at DEFCON

Medtronic team at DEFCON

"The likelihood of a hacker finding any vulnerabilities with our devices was low because we did our due diligence," said Vince Nguyen, Sr. Software Engineering Manager, a volunteer at DEFCON’s Biohacking Villager, and annual DEFCON attendee since 2016. "We've been talking about what hackers found in our competitors' medical devices so we can feed those learnings into our own designs going forward." 

What would have happened if any vulnerabilities had been found with our devices? For starters, you'd be reading this article all the same, because transparency - especially when it comes to patient safety - is paramount.  

DEFCON attendees attempting to hack into Diabetes insulin delivery system
Attendees with Medtronic’s automated insulin delivery system

"If a vulnerability had been found with our devices, the team would invoke our typical quality processes to assess the risk and apply the appropriate fixes.  And then testing would start all over again," said Nancy Brainerd, Sr. Engineering Director, Product Security Office and fellow DEFCON volunteer. "Patient safety is not negotiable, and where this message gets really critical from our perspective is that there's a dependency on security. If a product is not resilient to the worst of real-world conditions, it's not going to be secure enough for our patients." 

Why DEFCON? 

Have you ever looked tirelessly for something only to realize it was right in front of you the whole time? This phenomenon is called "inattentional blindness." When working day-in and day-out on lifesaving technology, we do our best to eliminate these oversights through rigorous testing and troubleshooting. But, for our patients, it's important to identify and remedy issues well before these devices reach doctors. 

"When we work intensely developing a product with our colleagues and focus on solving complicated problems, it's easy to become myopic," Vince said.  “But encouraging hackers to test our products and give us feedback means we have more eyes to notice things we may have missed.  That feedback will make our products better for patients!" 

Dustin Eastman Quote

"We shouldn't be afraid to be vulnerable and take a risk. While this may have been great publicity, press, and exposure for Medtronic, it truly shows our commitment to security and patient safety," said Nancy. "It's the right thing to do." 

DEFCON Fun Facts 

  • DEFCON was first founded in 1993 by Jeff Moss. 
  • Roughly 30,000 people attended DEFCON in Las Vegas, Nevada, this year, 41 of which were Medtronic employees. Fifteen of those employees were volunteers in the Biohacking Village. 
  • In addition to the Biohacking Village, DEFCON also offers car hacking, lockpicking, aerospace, and social engineering villages, among others. 
  • Medtronic has brought devices to the DEFCON Biohacking Village for the last three years with zero vulnerabilities discovered. 
  • This was the first year Medtronic transported pre-market devices to the event. 

DEFCON, regarded as one of the most popular and robust cybersecurity conventions globally, is an annual event held in Las Vegas, Nevada, where thousands of industry professionals – including hackers, cybersecurity experts, government officials, researchers, and tech enthusiasts – gather to learn the latest in security practices, hacking techniques, tools, trainings, and related topics. The conference is comprised of several "villages" that focus on various topics, including a Biohacking Village where 10 medical device companies - including Medtronic - invited hackers to discover vulnerabilities in their products. To ensure we were prepared to bring Medtronic devices to DEFCON, our teams spent a year diligently planning - including building, tearing down, building up again, and meticulous testing to ensure we were truly ready to put our devices in the hands of potentially some of the world's most skilled hackers.  

L001-09132024

Related content