Medical Device Manufacturer Services
Our Services For Devices Manufacturer Organizations Includes:
- Product Security Programs – Establish and Integration
- Cybersecurity Risk Management
- Coordinated Vulnerability Disclosure
- Product Security Incident Response Program
- Vulnerability Monitoring and Management Process
- Patch Management Process
- Product Security Baseline Design Requirements
- Secure Development Lifecycle
- Cybersecurity Risk Assessment
- Penetration Testing
- System Design & Architecture Review
- Regulatory Compliance
- Strategic Planning for Design and Classification of your Device
Whether you have key components of your product security program already in place or want to establish a new robust and mature program, the MedSec team is ready to review and aid in the integration of processes and procedures to ensure that your product security program is compliant and part of your overall quality system flow. The MedSec team is intimately familiar with industry leading documents such as AAMI TIR 57 for security risk management, AAMI TIR 97 for postmarket security risk management, and IEC 80001 -2-2 for security capabilities, IEC 62443, ISO/IEC 15408, UL 2900 and NIST SP 800-53
MedSec is ready to assist in the execution of every aspect of your product security program, including
- Cybersecurity Risk Management for both new and legacy product lines
- Coordinated Vulnerability Disclosure programs
- Product Security Incident Response and Event Management
- Vulnerability Monitoring and Management
- Patch Management
- Product Security Baseline Design Requirements
Cybersecurity risk management is the central hub to a manufacturer’s entire product security program. This is where information about threats, vulnerabilities, assets, impacts, and controls are collected and assessed. A well-organized and robust security risk management program is crucial to maintaining a nimbleness and responsiveness of design controls, vulnerability management, incident response, and other aspects of product security. It can also be one of the more challenging processes to get right. But it is so important to the management of cybersecurity in a medical device that every regulatory body identified security risk management as an essential part of this process. MedSec is uniquely positioned with the experience and knowledge to help you build a cybersecurity risk management program from the ground up or to assess your existing process and recommend steps to increase the value and maturity of your current process.
Researchers are an important aspect of helping to manage medical device security. If they find a vulnerability associated with your medical device, you want them to contact you and not someone else. Coordinated vulnerability disclosure (CVD) is the process used by every industry where a security researcher agrees to coordinate the disclosure of the vulnerability with the manufacturer, typically after a fix has been developed. Having a process for coordinated vulnerability disclosure not only helps to manage the business risk of having researchers find vulnerabilities in your products, the FDA also offers incentives to reduce regulatory burden for managing qualified vulnerabilities to those companies with robust disclosure and patch management programs. MedSec is able to assist not only in helping to build or fortify your coordinated vulnerability disclosure program but also ensure that you take advantage of the incentives available from FDA to reduce your postmarket regulatory burden when patching.
Cybersecurity attacks on medical devices and healthcare critical infrastructure are occurring at greater frequency. Incident response is a term used to describe the process by which an organization handles a cybersecurity attack, ensuring that teams respond quickly and seamlessly to an incident. MedSec can assist in several ways, including helping to build or mature a product security incident response program as well as helping to run tabletop exercises where teams assemble and practice their process. Tabletop exercises are critical to an efficient and responsive team.
Vulnerability monitoring and management presents a new challenge to medical device manufacturers. Medical device manufacturers are expected to monitor their products, including the third-party software components, for new vulnerabilities after they are placed on the market. Any new vulnerabilities must be managed to determine if patching is required and if so, how urgently. MedSec offers assistance in developing and maturing this process and its integration into the larger Quality System.
Software patching is not new for medical device manufacturers. However, security patches can create an increased burden due to the pace and frequency of the patching process when effectively managing security vulnerabilities. Both hospitals and regulators are putting pressure on medical device manufacturers to patch quickly and frequently to protect the healthcare critical infrastructure. This can put pressure on manufacturers who built their patch management programs years, if not decades earlier. MedSec can help you update your patch management process to meet customer and regulatory expectations.
A common question in security is: How much security is enough security? A great way to address this issue is to develop a set of baseline security requirements that work for your products and organization. These baseline design requirements are typically established based on industry best practice, standards, and regulatory requirements. MedSec staff have deep technical knowledge in this area and can help you navigate the often-confusing world of standards, coding standards, and compliance expectations. This is often not a one-size-fits-all situation and we can help you find the perfect fit!
Designing in security is more cost effective and successful than adding it as an afterthought towards the end of design. MedSec specializes in the security of medical devices and can help you assess and mature your existing process to keep development costs and timelines in check. But security does not stop when the product is released to market. Part of lifecycle management is maintaining that security position throughout the defined life of the medical device. This involves consistent vulnerability monitoring, postmarket risk management, patching, and incident response. MedSec can help you tie all of these pieces together and ensure that they are integrated into the larger quality system, streamlined, and efficient.
Our experts have extensive experience driving positive cybersecurity policy changes through various activities with FDA and remain dedicated to enhancing the productive relationship between regulatory agencies and industry. The MedSec team can assist in navigating the medical device regulatory environment for cybersecurity and software issues through consultation and strategic planning. Let us help you reduce the likelihood of impacts on product delivery timelines due to unexpected regulatory delays through assistance with:
- Global regulatory compliance in cybersecurity and software
- Global regulatory submission activities, including
- Creation and/or review of cybersecurity and software section content
- Support for responses to deficiency letters involving cybersecurity and software issues
- Product classification, particularly with digital health products and new 21st Century Cures guidance in the US
- Regulatory strategy for designing and managing connected and software-driven devices, considering new guidelines from the US FDA, European Union, Asia, Australia, and Canada, and
- Support for cybersecurity and software related issues at FDA meetings and engagements (onsite and behind-the-scenes), including pre-submission meetings.
Regulators from across the globe are releasing new guidance and requirements in the area of cybersecurity and software. The MedSec team can assist in regulatory strategies and achieve the best balance between innovation and compliance. The MedSec team can assist with key guidance interpretations for international reputations, documents, and directives as well as classifying your digital health devices. Aiding in process improvements and efficiencies that can be implemented across your quality system
The MedSec team is comprised of industry experts who stay involved in the ever-evolving cybersecurity trends Allow us to bring that knowledge to your teams in customized training to ensure your team is informed and engaged in new expectations and guidance. Our training will include current and emerging expectations from across the globe to ensure that you are both prepared for today and planning for the future. Topics include
- Cybersecurity compliance — updates on global cybersecurity guidance in key markets such as the US, Europe, Australia, Canada, and Asia.
- Standards — Outline and use of domestic and international cybersecurity and software standards, plus a review of upcoming cybersecurity and software standards
- Digital health strategy — how to make the most of recent guidance on SaMD and emerging technology
- Tabletop exercises — pressure-test your product security program with incident simulations to ensure readiness for the next global event
- Secure Design Lifecycle — integrating cybersecurity into your product development lifecycle
Let’s work together! We want to know more about your needs
Experts in Healthcare Cybersecurity
Meet Some of Our Consultants
Lets discuss your unique needs and see how MedSec can help
Get In Touch
MedSec is exclusively focused on the unique challenge of medical device and healthcare cybersecurity. We’d love to talk to you about your unique challenges and how MedSec can help