Man on computer

Security at Medtronic

COMMITMENT TO SECURITY

At Medtronic, nothing is more important to us than the safety of our patients. Medtronic designs and manufactures our products to be as safe and secure as possible, yet accessible to the patients and physicians who depend on them.

Medical devices are potential targets of cyberattacks, and we anticipate those risks to increase and evolve over time. However, Medtronic firmly believes that the therapeutic benefits of our products far outweigh any potential security risks. We continuously monitor the ongoing security of our products and operations and take appropriate action to address vulnerabilities.


Information Security

Healthcare professional reviewing data on computer

Protecting information is critically important to Medtronic. We have strong processes, technologies and people in place to safeguard our products and information and make an active effort to anticipate and prepare for the next threat.

Our global program seeks to protect our information and systems, the information of our business partners, and most importantly, the privacy and safety of the patients and healthcare providers that use our products.

While no system of security can provide 100 percent protection, our information technology infrastructure implements physical, administrative and technical controls designed to protect personal information, along with intellectual property and proprietary information. We have dedicated resources and processes to help prevent, detect and respond to cyber threats, and we monitor the security of our systems and take action to address vulnerabilities.  

Protecting Medtronic’s information, systems and products naturally extends to our business partners and vendors, and we expect them to secure their systems in a way that is consistent with our requirements. 

Medtronic operates in a heavily regulated medical device industry. We align our oversight and management of cybersecurity based on the International Organization for Standardization/International Electrotechnical Commission’s 27000 series (ISO/IEC 27000) and to the NIST Cybersecurity Framework. We have compliance and development programs in place for the devices, systems and services we sell consistent with applicable medical device regulatory requirements, some of which are listed below.

  • Governing laws, standards and compliance requirements
  • Architecture and standards
  • Security operations/intelligence
  • Physical security
  • Human factors and privacy/security culture
  • Communications and network security
  • Product and device security 

product security

Medtronic has a strong product security program that leverages internal and external security and medical device experts, rigorous development processes and security current practices to enable the highest levels of security and usability.

We make continuous security improvements to our products throughout their lifecycle, and we continue to review our security practices to minimize and mitigate vulnerabilities as we develop products, including:

  • Working with security researchers and experts to address evolving technology risks;
  • Completing vulnerability testing, updates, and remediation;
  • Assessing the impact of threats and vulnerabilities on device functionality and patient safety;
  • Developing risk mitigation strategies;
  • Developing awareness and education programs on security; and
  • Aligning with industry and regulatory standards.

Medtronic has proactively established a dedicated, global product security team and coordinated product disclosure program to supplement the robust product security practices already in place. Our internal approach to product security is two-fold:

  • Embedding subject-matter security experts within each business unit. The product security program is executed by security subject matter experts at the business unit level and supported by an enterprise-wide, cross-functional team. This enables Medtronic to embed security considerations into the full product lifecycle. This structure provides product security governance and oversight and allows for the establishment of policies and procedures that apply across our wide range of therapies and geographies. Additionally, the product security program is supported by rigorous quality processes managed by our Quality group.
  • Integrating an enterprise-wide security team to work across the entire organization. The enterprise-wide product security team is integrated into the Medtronic Global Security Office. This team works cross-functionally across the business to provide broad security expertise, governance and oversight on product security issues. They proactively share information across the enterprise to foster a culture of learning and best practices across a global organization, and augment the security experts within each business unit by providing resources to conduct independent security assessments. Additionally, the team oversees and manages the coordinated disclosure program.

Externally, Medtronic works closely with government agencies, industry partners and security researchers to enhance security efforts across the medical device and healthcare industries and inform and shape the guidance and regulatory landscape.


Secure for Life 

With the evolving security landscape, Medtronic makes security improvements to our products, and we continue to review our practices to minimize and mitigate vulnerabilities. While no system of security can provide 100 percent protection, we take measures to address security as our products are developed, once they leave our manufacturing facilities, and as they’re used by patients and healthcare providers. Our teams are focused on building secure products for life, with consideration of the following lifecycle stages:

During planning and design, our teams determine functionality and usability. We conduct a risk-based security analysis to determine appropriate controls. In the testing phase, teams conduct performance and security testing to find vulnerabilities. During the revisioning phase, we redesign the device as needed to address any vulnerabilities found and retest; we repeat as new risks are discovered. The regulatory review phase enables us to partner with regulatory bodies to review the device for safety, security, effectiveness and quality. Once the product is in use by the patient, we track and evaluate security and safety risks and make updates as appropriate. Finally, when we retire a device, we consider security implications of decommissioning.

Throughout the lifecycle of a medical device, we continuously monitor for security risks. We assess and test vulnerabilities based on global standards, engage regulators and communicate appropriate mitigations to key stakeholders.