As Black Hat 2025 approaches, I’m reminded of a series of moments that shaped the cybersecurity landscape in healthcare, starting with Jay Radcliffe’s demonstration in 2011, where he showed how his own insulin pump could be hacked to deliver a fatal dose.
In 2012, similar demonstrations followed, this time targeting pacemakers, exposing their susceptibility to remote manipulation. These sessions triggered public awareness, industry discomfort, and growing regulatory concern.
By 2013, the FDA had issued its first guidance on cybersecurity in medical devices, directly influenced by these early warnings. The risk was no longer theoretical. Security researchers had proved, in front of global audiences, that implantable and wearable devices could be hijacked not eventually, but now.
In October 2018, after another round of successful pacemaker exploits, a major manufacturer was forced to temporarily shut down part of its network to contain the threat. Around the same time, the Association of American Medical Colleges (AAMC) published “Exposing vulnerabilities: How hackers could target your medical devices”, a piece that summarised these growing concerns in plain language. It warned of vulnerabilities in insulin pumps, pacemakers, and neurostimulators. All real. All confirmed.
And then came the Medtronic case.
In 2019, the FDA issued a formal safety communication regarding a critical vulnerability in Medtronic’s implantable cardiac devices, including pacemakers, defibrillators, CareLink programmers, and home monitors. All relied on Conexus, a wireless protocol with no encryption, no authentication, and no integrity verification.
This meant a nearby attacker could intercept signals, alter commands, drain batteries, or even modify life-sustaining therapy settings. It was a textbook example of how digital convenience, without security, can compromise patient safety.
⚠
️
No encryption. No authentication. No safety net.
Security researchers Billy Rios and Jonathan Butts, Ph.D. uncovered the issue and followed proper disclosure processes. The result: global regulatory scrutiny, DHS involvement, and forced limitations on the affected devices. Wireless updates were disabled. Clinics had to revert to manual intervention.
And while no known patient harm occurred, the risk alone was enough to trigger immediate action.
A Regulatory Watershed
Th
e Medtronic case was not just about one product line. It highlighted a systemic problem the assumption that a Class III device, because it is highly regulated, must also be secure.
The FDA responded not only with enforcement but with structural change. The case directly contributed to the evolution of guidance and expectations. By 2023, new FDA requirements came into effect, mandating:
Software Bills of Materials (SBOMs)
- Secure update and patching mechanisms
- Risk-based threat modelling
- Design-phase security controls
- These are no longer exceptional. They are required.
Qity's Perspective: Security is a Prerequisite, Not an Add-On
At
Qity, we support medtech innovators across Europe and beyond. From early-stage startups to market-ready manufacturers, we help teams embed cybersecurity from the first line of code through to FDA or MDR submissions.
We bring together experts in quality, regulatory affairs, and cybersecurity to ensure your device meets both technical expectations and regulatory obligations. Whether it is supporting secure software architecture, documenting your risk controls, or preparing your 510(k) cybersecurity attachments, Qity equips your team to meet the evolving expectations of a connected healthcare system.
The Medtronic case reminds us that the consequences of neglecting cybersecurity are not theoretical. They are real, reputational, and potentially fatal.
Sec
u
rity by design is not optional. It is the only path forward.
🧭 Is your device secure enough for today’s regulatory environment?
🧭 Is your device secure enough for today’s regulatory environment?
If y
ou are building connected devices or already have them on the market now is the time to strengthen your cybersecurity posture. We have helped, with demonstrable success, companies establishing sound cybersecurity processes, secure product development frameworks, and executed countless information security and cybersecurity assessments (including threat modelling, penetration testing, contextual assessments, etc.) that resulted in successful and timely market submissions.
📩 Reach out to Qity to discuss practical, scalable, and regulatory-aligned strategies to secure your technology and protect your patients.