Guardians in the Grey Zone: A Narrative Review of Ethical Hacking and Offensive Security Across the Medical Device Lifecycle

Hamed Tarqi Alanazi; Omad Naif Aldhafeeri; Abdullah Ali Mesfer Alharbi; Ahmed Asi Hassan Alshammari; Salamah Falah Aljameeli; Mashari Saad D Alshammari; Faisal Asi H Alshammari; Majed Hussain M Alanazi

doi:10.64483/202522619

Hamed Tarqi Alanazi ⁽¹⁾, Omad Naif Aldhafeeri ⁽¹⁾, Abdullah Ali Mesfer Alharbi ⁽¹⁾, Ahmed Asi Hassan Alshammari ⁽¹⁾, Salamah Falah Aljameeli ⁽¹⁾, Mashari Saad D Alshammari ⁽²⁾, Faisal Asi H Alshammari ⁽³⁾, Majed Hussain M Alanazi ⁽¹⁾

(1) Hafar Al-Batin Health Cluster King Khalid General Hospital in Hafar Al-Batin, Ministry of Health, Saudi Arabia,

(2) Hafar Al-Batin Health Cluster, Ministry of Health, Saudi Arabia,

(3) Eradah And Mintal Hospital Hafr Al Batin, Hafar Al-Batin Health Cluster, ‏Ministry Of Health, Saudi Arabia

https://doi.org/10.64483/202522619

Issue
Vol. 2 No. 2 (2025)

Submitted
February 1, 2026

Published
December 31, 2025

Keywords:

Medical Device Security, Penetration Testing, Vulnerability Disclosure, Regulatory Framework, Cybersecurity Lifecycle

PDF

Abstract

Background: The increasing connectivity of medical devices, from implantable neurostimulators to hospital infusion pumps, has exponentially expanded the attack surface in healthcare. These devices, critical to patient safety, are attractive targets for malicious actors, making robust security assessments imperative. Aim: This narrative review aims to synthesize current evidence on the application of offensive security practices—specifically penetration testing, red teaming, and bug bounty programs—throughout the total product lifecycle of medical devices, from pre-market development to post-market surveillance. Methods: A systematic search of academic databases (PubMed, IEEE Xplore, ACM Digital Library) and grey literature (regulatory documents, security advisories, conference proceedings) was conducted for literature published between 2010-2024. Results: Offensive security practices are increasingly integrated but inconsistently applied. Pre-market, penetration testing is often a compliance checkbox, while post-market, reactive bug bounty programs reveal critical vulnerabilities. A significant gap exists in proactive, continuous red teaming during the operational phase. Legal frameworks, particularly the U.S. FDA’s pre-market guidance and post-market cybersecurity directives, provide structure but lack specificity, creating ambiguity for researchers and manufacturers. Conclusion: Ethical hacking is a crucial but under-optimized component of medical device security. Moving from a compliance-centric to a resilience-centric model requires harmonized regulations, safe harbors for good-faith research, and the institutionalization of continuous offensive security as a core component of device lifecycle management.

Full text article

Generated from XML file

References

1. Alzahrani, F. A., Ahmad, M., & Ansari, M. T. J. (2022). Towards design and development of security assessment framework for internet of medical things. Applied Sciences, 12(16), 8148. https://doi.org/10.3390/app12168148

2. Andress, J., & Winterfeld, S. (2013). Cyber warfare: techniques, tactics and tools for security practitioners. Elsevier.

3. Applebaum, A., Miller, D., Strom, B., Korban, C., & Wolf, R. (2016, December). Intelligent, automated red team emulation. In Proceedings of the 32nd annual conference on computer security applications (pp. 363-373). https://doi.org/10.1145/2991079.2991111

4. Bracciale, L., Loreti, P., & Bianchi, G. (2023). Cybersecurity vulnerability analysis of medical devices purchased by national health services. Scientific reports, 13(1), 19509. https://doi.org/10.1038/s41598-023-45927-1

5. Chaudhary, S., Kakkar, R., Jadav, N. K., Nair, A., Gupta, R., Tanwar, S., ... & Davidson, I. E. (2022). A taxonomy on smart healthcare technologies: Security framework, case study, and future directions. Journal of Sensors, 2022(1), 1863838. https://doi.org/10.1155/2022/1863838

6. Cheryl, B. K., & Ng, B. K. (2022). Protecting the unprotected consumer data in internet of things: Current scenario of data governance in Malaysia. Sustainability, 14(16), 9893. https://doi.org/10.3390/su14169893

7. Coventry, L., & Branley, D. (2018). Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas, 113, 48-52. https://doi.org/10.1016/j.maturitas.2018.04.008

8. Dubiner, R. B. (2023). FDA Publishes New Guidance On Cybersecurity In Medical Devices. Mondaq Business Briefing, NA-NA.

9. Fidler, D. P. (2022). Advanced Introduction to Cybersecurity Law. Edward Elgar Publishing.

10. Garbelini, M. E., Wang, C., Chattopadhyay, S., Sumei, S., & Kurniawan, E. (2020). {SweynTooth}: unleashing mayhem over Bluetooth low energy. In 2020 USENIX Annual Technical Conference (USENIX ATC 20) (pp. 911-925).

11. Hartley, M. E. (2022). Access denied: the dangers of ransomware's unchecked attack on the agriculture industry. Drake J. Agric. L., 27, 457.

12. Hassija, V., Chamola, V., Bajpai, B. C., & Zeadally, S. (2021). Security issues in implantable medical devices: Fact or fiction?. Sustainable Cities and Society, 66, 102552. https://doi.org/10.1016/j.scs.2020.102552

13. Hempel, G., Janosek, D. B., & Raziano, D. B. (2020). Hacking humans: A case study and analysis of vulnerabilities in the advancing medical device landscape. Cyber Security: A Peer-Reviewed Journal, 3(4), 351-362.

14. Jimenez, J. I., Jahankhani, H., & Kendzierskyj, S. (2019). Health care in the cyberspace: Medical cyber-physical system and digital twin challenges. In Digital twin technologies and smart cities (pp. 79-92). Cham: Springer International Publishing. https://doi.org/10.1007/978-3-030-18732-3_6

15. Kavianpour, S., Shanmugam, B., Zolait, A., & Razaq, A. (2022). A framework to detect cyber-attacks against networked medical devices (Internet of Medical Things): an attack-surface-reduction by design approach. International Journal of Computing and Digital Systems, 11(1), 1289-1298. http://dx.doi.org/10.12785/ijcds/1101104

16. Kohler, C. (2020). The EU Cybersecurity Act and European standards: an introduction to the role of European standardization. International Cybersecurity Law Review, 1(1), 7-12. https://doi.org/10.1365/s43439-020-00008-1

17. Kramer, D. B., & Fu, K. (2017). Cybersecurity concerns and medical devices: lessons from a pacemaker advisory. Jama, 318(21), 2077-2078. doi:10.1001/jama.2017.15692

18. Leszczyna, R. (2021). A Review of Traffic Analysis Attacks and Countermeasures in Mobile Agents' Networks. Moving technology ethics at the forefront of society, organisations and governments, 439-452.

19. Lorenzini, G., Shaw, D. M., & Elger, B. S. (2022). It takes a pirate to know one: ethical hackers for healthcare cybersecurity. BMC medical ethics, 23(1), 131. https://doi.org/10.1186/s12910-022-00872-y

20. Mac, G. (2023). Cybersecurity Risks and Countermeasures in Digital Manufacturing Cyber-Physical Systems (Doctoral dissertation, New York University Tandon School of Engineering).

21. McDermott, O., Foley, I., Antony, J., Sony, M., & Butler, M. (2022). The impact of industry 4.0 on the medical device regulatory product life cycle compliance. Sustainability, 14(21), 14650. https://doi.org/10.3390/su142114650

22. Muthuppalaniappan, M., & Stevenson, K. (2021). Healthcare cyber-attacks and the COVID-19 pandemic: an urgent threat to global health. International Journal for Quality in Health Care, 33(1), mzaa117. https://doi.org/10.1093/intqhc/mzaa117

23. Pemmasani, P. K., & Osaka, M. (2019). Red Teaming as a Service (RTaaS): Proactive Defense Strategies for IT Cloud Ecosystems. The Computertech, 24-30.

24. Proença, D., & Borbinha, J. (2018, June). Information security management systems-a maturity model based on ISO/IEC 27001. In International Conference on Business Information Systems (pp. 102-114). Cham: Springer International Publishing. https://doi.org/10.1007/978-3-319-93931-5_8

25. Raihan, A. S., Ali, S. M., Roy, S., Das, M., Kabir, G., & Paul, S. K. (2022). Integrated model for soft drink industry supply chain risk assessment: implications for sustainability in emerging economies. International journal of fuzzy systems, 24(2), 1148-1169. https://doi.org/10.1007/s40815-020-01039-w

26. Rajkumar, V. S., Stefanov, A., Musunuri, S., & de Wit, J. (2021, September). Exploiting ripple20 to compromise power grid cyber security and impact system operations. In CIRED 2021-The 26th International Conference and Exhibition on Electricity Distribution (Vol. 2021, pp. 3092-3096). IET. https://doi.org/10.1049/icp.2021.2146

27. Richter, M., Schwarz, K., & Creutzburg, R. (2021). Conception and Implementation of Professional Laboratory Exercises in the field of ICS/SCADA Security Part II: Red Teaming and Blue Teaming. Electronic imaging, 33, 1-13. https://doi.org/10.2352/ISSN.2470-1173.2021.3.MOBMU-074

28. Ronen, E., Shamir, A., Weingarten, A. O., & O’Flynn, C. (2017, May). IoT goes nuclear: Creating a ZigBee chain reaction. In 2017 IEEE Symposium on Security and Privacy (SP) (pp. 195-212). IEEE. https://doi.org/10.1109/SP.2017.14

29. Rose, R. V. (2023). Cybersecurity risks of medical devices. Physicians Practice. https://link.gale.com/apps/doc/A762612930/HRCA?u=anon~4b50fa07&sid=googleScholar&xid=3c6aeb3b

30. Schwartz, S., Ross, A., Carmody, S., Chase, P., Coley, S. C., Connolly, J., ... & Zuk, M. (2018). The evolving state of medical device cybersecurity. Biomedical instrumentation & technology, 52(2), 103-111.

31. Sood, A., & Enbody, R. (2014). Targeted cyber attacks: multi-staged attacks driven by exploits and malware. Syngress.

32. Suárez, R. A., & Scott, D. (2017). Doing what is right with coordinated vulnerability disclosure. Biomedical instrumentation & technology, 51(s6), 42-45.

33. Tervoort, T., De Oliveira, M. T., Pieters, W., Van Gelder, P., Olabarriaga, S. D., & Marquering, H. (2020). Solutions for mitigating cybersecurity risks caused by legacy software in medical devices: a scoping review. IEEE access, 8, 84352-84361. https://doi.org/10.1109/ACCESS.2020.2984376

34. Williams, P. A., & Woodward, A. J. (2015). Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Medical Devices: Evidence and Research, 305-316. https://doi.org/10.2147/MDER.S50048

35. Yaqoob, T., Abbas, H., & Shafqat, N. (2019). Integrated security, safety, and privacy risk assessment framework for medical devices. IEEE journal of biomedical and health informatics, 24(6), 1752-1761. https://doi.org/10.1109/JBHI.2019.2952906

36. Yeng, P. (2020). Legal requirements towards enhancing the security of medical devices. International Journal of Advanced Computer Science and Applications.

37. Yoo, C. S., & Lee, B. C. (2022). Optimizing Cybersecurity Risk in Medical Cyber-Physical Devices. Wm. & Mary L. Rev., 64, 1513.

38. Zhang, Q., Liang, Z., & Cai, Z. (2019). Developing a New Security Framework for Bluetooth Low Energy Devices. Computers, Materials & Continua, 59(2).

39. Zhao, M., Laszka, A., & Grossklags, J. (2017). Devising effective policies for bug-bounty platforms and security vulnerability discovery. Journal of Information Policy, 7, 372-418. https://doi.org/10.5325/jinfopoli.7.2017.0372

40. Zhao, M., Grossklags, J., & Liu, P. (2015, October). An empirical study of web vulnerability discovery ecosystems. In Proceedings of the 22nd ACM SIGSAC conference on computer and communications security (pp. 1105-1117). https://doi.org/10.1145/2810103.2813704