For Medical Device Manufacturers
Cybersecurity Consulting
Build More Secure Devices
From Design Through Regulatory Approval
Our clients have developed remarkable technology to monitor patients’ health, diagnose disease, and deliver lifesaving treatments. However, with every new medical device they create – which usually requires connectivity to enterprise networks and multiple software applications – they face a growing number of cyber threats.
That’s why many medical device manufacturers – from the most respected in our industry to startups – rely on MedSec during the development process to ensure the following:
-
Greater speed to market
-
Fewer regulatory delays
-
Compliance with international standards
-
Comprehensive regulatory submission documentation
-
Pre-submission assistance
-
Support to address deficiencies and vulnerabilities
-
Enhanced maturity of risk management programs
-
Continuous improvements to patient safety
MedSec helps our clients design and build medical devices to resist cyberattacks and to prevent access to the vital networks healthcare delivery organizations operate.
Moreover, MedSec’s team of cybersecurity experts, which includes some of the industry’s most recognized authorities, provides guidance to ensure device manufacturers meet increasingly complex regulations imposed by the FDA and other regulatory bodies throughout the world.
More Than Just Ensuring Regulatory Compliance
At MedSec, we do more than ensure regulatory compliance – we ensure that unique cybersecurity risks are immediately addressed. In addition to adapting device regulations from the International Organization for Standardization (ISO), the European Union, and countries that have adopted the Medical Device Single Audit Program (MDSAP), MedSec is part of the team leading the charge to guide regulatory measures.
Partner With MedSec, A Little Or A Lot
At MedSec, we recognize that every manufacturer has different internal resources. That’s why we structure our consulting engagements to meet your needs. Hire us for a deep dive into a major product line or division, or engage our experts on a project-by-project basis…whatever works best for your organization.
We offer a continuum of consulting services so you can access precisely what you need, including:
Product Security Programs - Establishing and Integrating
The MedSec team is ready to review and aid in the integration of processes and procedures to ensure that your product security program is compliant – whether it is brand-new or a retooling of an existing program. We can also help make your product security programs part of your overall quality system flow.
The MedSec team is intimately familiar with industry-leading documents, such as AAMI TIR 57 for security risk management, AAMI TIR 97 for postmarket security risk management, IEC 80001-2-2 for security capabilities, IEC 62443, ISO/IEC 15408, UL 2900, NIST SP 800-53, NIST RMF, and FIPS-140-2 and 140-3.
MedSec is ready to assist in the execution of every aspect of your product security program, including:
-
Product Security Programs, including:
-
Product Security Incident Response Program
-
Vulnerability Monitoring and Management Process
-
Patch Management Process
-
Product Security Baseline Design Requirements
-
Secure Development Lifecycle
-
-
Coordinated Vulnerability Disclosure
-
Cybersecurity Risk Management
-
Cybersecurity Risk Assessment
-
Penetration Testing
-
System Design And Architecture Review
-
Regulatory Compliance
-
Strategic Planning
-
Training
Cybersecurity Risk Management
You cannot secure what you don’t know you have. The foundation to a successful medical device cybersecurity program is knowing what medical devices you have, where they are, what they are doing, and whether they need cybersecurity attention. MedSec offers services and solutions to tackle this unique and fundamental challenge.
Coordinated vulnerability disclosure (CVD) is used by every industry, in which a security researcher agrees to coordinate the disclosure of the vulnerability with the manufacturer, typically after a fix has been developed.
Having a process for coordinated vulnerability disclosure helps manage the business risk of having researchers find vulnerabilities in your products. In addition, the FDA also offers incentives to companies with robust disclosure and patch management programs for managing qualified vulnerabilities and reducing regulatory burden. MedSec assists in building or fortifying your coordinated vulnerability disclosure program, as well as ensuring you take advantage of the incentives available from FDA to reduce your postmarket regulatory burden when patching.
Product Security Incident Response Program
Cybersecurity attacks on medical devices and healthcare critical infrastructure are occurring more frequently. Incident response is a term used to describe the process by which an organization handles a cybersecurity attack, ensuring that teams respond quickly and seamlessly to an incident. MedSec can assist in several ways, including helping build or mature a product security incident response program, as well as running tabletop exercises where teams assemble and practice their process. Tabletop exercises are critical to an efficient and responsive team.
Vulnerability monitoring and management presents a new challenge to medical device manufacturers. Medical device manufacturers are expected to monitor their products, including third-party software components, for new vulnerabilities after they are placed on the market.
Any new vulnerabilities must be managed to determine if patching is required, and if so, how urgently. MedSec assists in the development of this process and its integration into the larger Quality System.
Software patching is not new for medical device manufacturers. However, security patches can create an increased burden due to the pace and frequency of the patching process when effectively managing security vulnerabilities.
Both hospitals and regulators are putting pressure on medical device manufacturers to patch quickly and frequently to protect the healthcare critical infrastructure. This can put pressure on manufacturers who built their patch management programs years, if not decades, earlier.
MedSec can help you update your patch management process to meet customer and regulatory expectations.
A common question in security is: “How much security is enough security?” A great way to address this issue is to develop a set of baseline security requirements that work for your products and organization. These baseline design requirements are typically established based on industry best practices, standards, and regulatory requirements.
MedSec staff have deep technical knowledge in this area and can help you navigate the often-confusing world of coding standards and compliance expectations. This is often not a one-size-fits-all situation, and we can help you find the perfect fit.
Adding security in the design process is more cost-effective and successful than adding it as an afterthought. MedSec specializes in the security of medical devices and can help you assess and mature your existing process to keep development costs and timelines in check.
However, security does not stop when the product is released to market. Part of lifecycle management is maintaining that security position throughout the defined life of the medical device. This involves consistent vulnerability monitoring, postmarket risk management, patching, and incident response.
MedSec can help you connect security elements and ensure that they are integrated into the larger quality system, streamlined, and efficient.
Cybersecurity Risk Assessment
Meet FDA and other global premarket cybersecurity guidance documents by conducting a cybersecurity risk assessment with MedSec. Cybersecurity risk assessments are an expected part of an FDA 510k and PMA. MedSec uses the industry leading AAMI TIR 57 methodology to develop a full cybersecurity risk assessment ready for an FDA or global filing.
Penetration Testing
The MedSec team can perform vulnerability and penetration testing on your medical device or medical device ecosystem. Because MedSec specializes in medical devices, we understand the unique regulatory environment, operating environment, and use cases.
System Design And Architecture Review
Catching cybersecurity weakness at the design phase of a product lifecycle is typically the least impactful to the overall design lifecycle. Our cybersecurity experts will review design and architecture documentation to identify potential areas of weakness and aid in design generation for securing weak areas.
Regulatory Compliance
Our experts have extensive experience driving positive cybersecurity policy changes through various activities with the FDA. In addition, they remain dedicated to enhancing their productive relationship between regulatory agencies and industry. The MedSec team can assist in navigating the medical device regulatory environment for cybersecurity and software issues through consultation and strategic planning.
Let us help you reduce the likelihood of impacts on product delivery timelines due to unexpected regulatory delays through assistance with:
-
Global regulatory compliance in cybersecurity and software
-
Global regulatory submission activities, including:
-
Creation and/or review of cybersecurity and software section content
-
Support for responses to deficiency letters involving cybersecurity and software issues
-
-
Product classification, particularly with digital health products and new 21st Century Cures Act guidance in the U.S.
-
Regulatory strategy for designing and managing connected and software-driven devices, considering new guidelines from the U.S. FDA, European Union, Asia, Australia, and Canada
-
Support for cybersecurity and software-related issues at FDA meetings and engagements (onsite and behind-the-scenes), including pre-submission meetings
Strategic Planning For Device Design And Classification
Regulators from across the globe are releasing new guidance and requirements in cybersecurity and software. The MedSec team can assist in regulatory strategies and achieve the best balance between innovation and compliance. We can assist with key guidance interpretations for international reputations, documents, and directives, as well as classifying your digital health devices. In addition, we can aid in process improvements and efficiencies that can be implemented across your quality system.
Training
The MedSec team is comprised of industry experts who stay involved in ever-evolving cybersecurity trends. Allow us to bring that knowledge to your teams in customized training to ensure your team is informed and engaged in new expectations and guidance. Our training will include current and emerging expectations from across the globe to ensure that you are prepared for today and are planning for the future.
Topics include:
-
Threat Modeling — how to create, leverage, and integrate a threat modeling practice into your safety and security risk management process
-
Cybersecurity Compliance — updates on global cybersecurity guidance in key markets such as the U.S., Europe, Australia, Canada, and Asia
-
Standards — outline and use of domestic and international cybersecurity and software standards, plus a review of upcoming cybersecurity and software standards
-
Digital Health Strategy — make the most of recent guidance on SaMD and emerging technology
-
Tabletop Exercises — pressure-test your product security program with incident simulations to ensure readiness for the next global event
-
Secure Design Lifecycle — integrate cybersecurity into your product development lifecycle