Cybersecurity in Medical Devices: From Insight to Action
As connected medical devices become increasingly complex, cybersecurity has emerged as a fundamental element of patient safety and regulatory compliance. At our recent Cyber Security in Medical Devices session at CySecMed 2025 conference, Deloitte experts explored how resilience can be built into every stage of the device lifecycle — from design to deployment and beyond.
The session featured insights from Edward Moore (Deloitte Spain) on defensive security, Andras Kabai (Deloitte Central Europe) on medical device security testing, and Maciej Piwowarczyk vel Dabrowski (Deloitte Germany) on evolving EU regulatory requirements. Discussions highlighted how cybersecurity and regulatory expectations are converging, making continuous security validation a necessity rather than an optional element.
Penetration Testing: Going Beyond Compliance
A central theme of the session was the critical role of penetration testing in ensuring medical device security. Unlike traditional IT testing, medical device pentesting covers a much broader spectrum — from embedded hardware and firmware through industry specific communication interfaces and protocols, to cloud services and hospital network integration.
Our structured Deloitte Medical Device Penetration Testing Framework provides end-to-end coverage across this connected medical device ecosystem.
Key stages include:
1️⃣ Scoping and reconnaissance – defining the testing boundaries, device models, and operational context; collecting documentation and identifying interfaces (such as USB, CAN, Serial, Wi-Fi, BLE, RF, cloud, APIs).
2️⃣ Threat modeling and test planning – analyzing trust boundaries and prioritizing risks that could impact patient safety, confidentiality, or system availability.
3️⃣ Execution – performing targeted testing across hardware, firmware, interfaces, applications, and cloud systems using a controlled, safe environment that reflects real operational conditions.
4️⃣ Reporting and remediation – delivering detailed findings, risk ratings, and actionable recommendations, followed by validation of implemented fixes.
In a demonstration, Andras Kabai – lead of Deloitte Centra Europe’s embedded device security lab – showed how a hardware-level vulnerability — such as an unlocked JTAG interface providing access to the system internals — and its exploitation can escalate from a one-time physical access to a scalable remote compromise of multiple connected devices over the network. This example illustrates why comprehensive testing is vital for safeguarding device security on every layer and how this consequently ensures the robustness and cyber resilience of the device, its features as well as the safety of the patients.
Building Trust Through Security
For medical device manufacturers, cybersecurity is no longer a checklist item — it is a mandatory regulatory requirement, an enabler of trust, market access, and the ultimate way to produce better, safer and more resilient medical devices. Deloitte’s integrated approach combines deep technical testing expertise with regulatory understanding to help clients meet cybersecurity requirements while ensuring devices remain safe, secure, and compliant throughout their lifecycle.
By embedding penetration testing across all stages of medical device development, deployment, and maintenance, manufacturers can confidently bring secure innovations to market — protecting both patients and the integrity of digital healthcare systems.
