Medtronic released a statement confirming a data breach of its corporate IT systems. The medical equipment manufacturer asserted it saw no evidence of impact on products, manufacturing/distribution operations, financial reporting systems, patient safety, or ability to meet patient needs, as the networks supporting corporate IT operations are separate from other functions. ShinyHunters has claimed responsibility for the attack. 

“ShinyHunters’ continued success with phishing attacks against enterprise targets tells us that organizations are still granting far more access than any individual role requires,” says Chris Radkowski, GRC Expert at Pathlock. “Enforcing least-privilege access and continuous access certification at the application layer would have significantly reduced the risks associated with this attack.” 

At this time, the company is working to determine any personal information that may have been affected. 

As this story continues to develop, security experts are sharing their insights on the broader implications of this breach. 

“This attack highlights the escalating threat landscape facing the healthcare and medical technology sectors,” explains Agnidipta Sarkar, Chief Evangelist at ColorTokens. “While Medtronic successfully contained the breach to its corporate IT network, preventing disruption to its manufacturing and product lines, the incident underscores the critical need for robust measures to be ready for the next possible breach.”

Bolstering security against the current threat landscape can be complicated, Sarkar explains, considering how intricate and intertwined these issues can be. “At the heart of the challenge are high levels of both complexity and uncertainty. It’s time to keep abreast of geopolitical signals, anticipate attacks, model defenses, and adapt digital landscapes to deny attackers any room to maneuver.” He adds, “Technologies such as microsegmentation, especially agentless with EDR, contribute significantly to building this capability. Marshall your existing investments in EDR through API integration to define zones critical to the business and define conduits that can be disconnected on demand to contain cyberattacks.” 

The complexity of the modern threat landscape isn’t the only broader implication this breach emphasizes. Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, asserts that incidents like this can also be opportunities for the security industry. 

“Whenever there is an attack on society critical systems, whether we’re talking about critical infrastructure or as is the case with Medtronic a critical provider of healthcare technologies, this represents an opportunity for all defensive teams to review how they segment users, data, and operations,” Mackey asserts. “For example, an attack on a medical device manufacturer shouldn’t directly impact healthcare providers — unless that attack exfiltrated product designs and software. If such an exfiltration were to occur, inspecting those designs and software shouldn’t expose any product weaknesses — unless that data wasn’t encrypted at rest. If an exfiltration occurred, or malware was installed on product or manufacturing workstations, then patient risk might be compromised — unless additional reviews are performed. In this case Medtronic states that only corporate IT systems were involved and that corporate networking is separated from product and operations. Mitigating cyberattacks is a defense in depth exercise which starts with controlling access — such as with zero trust architectures and network management.” 

The attack against Medtronic comes a little more than a month after the Iranian cyberattack against the medical technology company Stryker, which caused a global outage of company systems.