Medical Device Manufacturer Services

CONSULTING SERVICES

Our Services For Devices Manufacturer Organizations Includes:

Whether you have key components of your product security program already in place or want to establish a new robust and mature program, the MedSec team is ready to review and aid in the integration of processes and procedures to ensure that your product security program is compliant and part of your overall quality system flow. The MedSec team is intimately familiar with industry leading documents such as AAMI TIR 57 for security risk management, AAMI TIR 97 for postmarket security risk management, and IEC 80001 -2-2 for security capabilities, IEC 62443, ISO/IEC 15408, UL 2900 and NIST SP 800-53

MedSec is ready to assist in the execution of every aspect of your product security program, including

  • Cybersecurity Risk Management for both new and legacy product lines
  • Coordinated Vulnerability Disclosure programs
  • Product Security Incident Response and Event Management
  • Vulnerability Monitoring and Management
  • Patch Management
  • Product Security Baseline Design Requirements

Cybersecurity risk management is the central hub to a manufacturer’s entire product security program.  This is where information about threats, vulnerabilities, assets, impacts, and controls are collected and assessed.  A well-organized and robust security risk management program is crucial to maintaining a nimbleness and responsiveness of design controls, vulnerability management, incident response, and other aspects of product security.  It can also be one of the more challenging processes to get right. But it is so important to the management of cybersecurity in a medical device that every regulatory body identified security risk management as an essential part of this process.  MedSec is uniquely positioned with the experience and knowledge to help you build a cybersecurity risk management program from the ground up or to assess your existing process and recommend steps to increase the value and maturity of your current process.

Researchers are an important aspect of helping to manage medical device security.  If they find a vulnerability associated with your medical device, you want them to contact you and not someone else. Coordinated vulnerability disclosure (CVD) is the process used by every industry where a security researcher agrees to coordinate the disclosure of the vulnerability with the manufacturer, typically after a fix has been developed.  Having a process for coordinated vulnerability disclosure not only helps to manage the business risk of having researchers find vulnerabilities in your products, the FDA also offers incentives to reduce regulatory burden for managing qualified vulnerabilities to those companies with robust disclosure and patch management programs. MedSec is able to assist not only in helping to build or fortify your coordinated vulnerability disclosure program but also ensure that you take advantage of the incentives available from FDA to reduce your postmarket regulatory burden when patching.

Cybersecurity attacks on medical devices and healthcare critical infrastructure are occurring at greater frequency.  Incident response is a term used to describe the process by which an organization handles a cybersecurity attack, ensuring that teams respond quickly and seamlessly to an incident.  MedSec can assist in several ways, including helping to build or mature a product security incident response program as well as helping to run tabletop exercises where teams assemble and practice their process.  Tabletop exercises are critical to an efficient and responsive team.

Vulnerability monitoring and management presents a new challenge to medical device manufacturers.  Medical device manufacturers are expected to monitor their products, including the third-party software components, for new vulnerabilities after they are placed on the market.  Any new vulnerabilities must be managed to determine if patching is required and if so, how urgently. MedSec offers assistance in developing and maturing this process and its integration into the larger Quality System.  

Software patching is not new for medical device manufacturers.  However, security patches can create an increased burden due to the pace and frequency of the patching process when effectively managing security vulnerabilities.  Both hospitals and regulators are putting pressure on medical device manufacturers to patch quickly and frequently to protect the healthcare critical infrastructure.  This can put pressure on manufacturers who built their patch management programs years, if not decades earlier. MedSec can help you update your patch management process to meet customer and regulatory expectations.

A common question in security is: How much security is enough security?  A great way to address this issue is to develop a set of baseline security requirements that work for your products and organization.  These baseline design requirements are typically established based on industry best practice, standards, and regulatory requirements. MedSec staff have deep technical knowledge in this area and can help you navigate the often-confusing world of standards, coding standards, and compliance expectations.  This is often not a one-size-fits-all situation and we can help you find the perfect fit!

Designing in security is more cost effective and successful than adding it as an afterthought towards the end of design.  MedSec specializes in the security of medical devices and can help you assess and mature your existing process to keep development costs and timelines in check.  But security does not stop when the product is released to market. Part of lifecycle management is maintaining that security position throughout the defined life of the medical device.  This involves consistent vulnerability monitoring, postmarket risk management, patching, and incident response. MedSec can help you tie all of these pieces together and ensure that they are integrated into the larger quality system, streamlined, and efficient.  

Meet the FDA and other global premarket cybersecurity guidance documents by conducting  a cybersecurity  risk assessment with MedSec. Cybersecurity risk assessments are an expected part of an FDA 510k and PMA, and several key global markets MedSec uses the industry-leading AAMI TIR 57 methodology to develop a full cybersecurity risk assessment ready for an FDA or global filing
The MedSec team can perform Vulnerability and Penetration testing on your medical device or medical device ecosystem Because MedSec specializes in medical devices we understand the unique regulatory environment, operating environment, and use cases.
Most cybersecurity weakness is the result of poor design choices. Catching cybersecurity weakness at the design phase of a product lifecycle is typically the least impactful to the overall design lifecycle. Our cybersecurity experts will review design and architecture documentation to identify potential areas of weakness and aid in design generation for securing the weak areas

Our experts have extensive experience driving positive cybersecurity policy changes through various activities with FDA and remain dedicated to enhancing the productive relationship between regulatory agencies and industry. The MedSec team can assist in navigating the medical device regulatory environment for cybersecurity and software issues through consultation and strategic planning. Let us help you reduce the likelihood of impacts on product delivery timelines due to unexpected regulatory delays through assistance with:

  • Global regulatory compliance in cybersecurity and software
  • Global regulatory submission activities, including
    • Creation and/or review of cybersecurity and software section content
    • Support for responses to deficiency letters involving cybersecurity and software issues
  • Product classification, particularly with digital health products and new 21st Century Cures guidance in the US
  • Regulatory strategy for designing and managing connected and software-driven devices, considering new guidelines from the US FDA, European Union, Asia, Australia, and Canada, and
  • Support for cybersecurity and software related issues at FDA meetings and engagements (onsite and behind-the-scenes), including pre-submission meetings.

Regulators from across the globe are releasing new guidance and requirements in the area of cybersecurity and software. The MedSec team can assist in regulatory strategies and achieve the best balance between innovation and compliance. The MedSec team can assist with key guidance interpretations for international reputations, documents, and directives as well as classifying your digital health devices. Aiding in process improvements and efficiencies that can be implemented across your quality system

The MedSec team is comprised of industry experts who stay involved in the ever-evolving cybersecurity trends Allow us to bring that knowledge to your teams in customized training to ensure your team is informed and engaged in new expectations and guidance. Our training will include current and emerging expectations from across the globe to ensure that you are both prepared for today and planning for the future. Topics include

  • Cybersecurity compliance updates on global cybersecurity guidance in key markets such as the US, Europe, Australia, Canada, and Asia.
  • Standards Outline and use of domestic and international cybersecurity and software standards, plus a review of upcoming cybersecurity and software standards
  • Digital health strategy how to make the most of recent guidance on SaMD and emerging technology
  • Tabletop exercises pressure-test your product security program with incident simulations to ensure readiness for the next global event
  • Secure Design Lifecycle integrating cybersecurity into your product development lifecycle

Let’s work together! We want to know more about your needs

Experts in Healthcare Cybersecurity

Meet Some of Our Consultants

10+ years offensive security researcher
Ethical Hacker
Medical device and embedded secure design
Vulnerability & Penetration Testing
Invited speaker at medical device and cybersecurity industry leading events
Chief Product Security Officer – leading the creation of product security programs
40 Years of healthcare experience
Lead the development of Mayo Clinic’s Medical Device Cybersecurity Program
Invited speaker at: FDA, RSNA, HIMSS, H-ISAC, AHA, CHIME, American Bar Association , DMD, Gartner
Security Advisor for top medical device manufacturers, including: Medtronic, Siemens, Varian, Vizient
Member Underwriters Laboratory Health Sciences Council
Co-Lead of the Health Sector Coordinating Council, and Joint Security Plan
Member HIMSS Privacy and Security Committee
Global Medical Device Cybersecurity and Software Regulatory Expert
Co-Chair for AAMI SM-WG01-TG01 – Health Software Quality Management, AAMI SM-WG01 Software Committee, Software Transparency SBOM Group and AdvaMed Software Working Group
Primary US Representative – IMDRF Software as a Medical Device Working Group
MDS2 Revision Project and CVSS Rubric Working Group
SO/TC 215 Joint Working Group 7 U.S. Expert for IEC 80001 and IEC 62304
AAMI SM-WG05 Device Security WG
Member AdvaMed Cybersecurity Working Group
Need our help?

Lets discuss your unique needs and see how MedSec can help

Office Address

350 Lincoln Road
Suite 3001
Miami Beach, FL 33139

Our Telephones

Our Email

Get In Touch

MedSec is the exclusively focused on the unique challenge of medical device and healthcare cybersecurity. We’d love to talk to you about your unique challenges and how MedSec can help