Medical devices are increasingly connected and complex in their software. As they often are highly safety-critical, such as pacemakers and insulin pumps, there is a need to strengthen them against cyberattacks. The healthcare industry is using various methods for security verification and validation, such as static code analysis, fuzzing, classic black-box penetration testing (PenTest). Yet we realize that with classic security testing, vulnerability detection is inefficient and incomplete. In this article we show how an enhanced TARA-based grey-box PenTest (GBPT) needs less test cases while being more effective in terms of coverage while indicating less false positives. With its integration to test-oriented requirements engineering (TORE), it supports a true triple peak method, connecting requirements elicitation, analysis and test strategy. A side effect of GBPT is its minimum viable test set which eases regression testing in agile development and redeliveries, while still being FDA compliant. This article introduces to the GBPT method and applies it to a real-world insulin pump, thus showing its handling and benefits. KPIs are introduced to show efficiency and effectiveness of GBPT.

Was lernen die Zuhörer in dem Vortrag?

1. Cybersecurity testing in medical devices
2. Grey-Box PenTest method
3. hands-on example with insulin pump