Protect Your Medical Devices
Secure your devices with trusted state-of-the-art solutions and advisory services to ensure a forward leaning posture. Need a trusted MedTech cybersecurity partner?A proven medical device cybersecurity partner
Voted the ‘Best Cybersecurity Company’ for three years running, let us help you secure your new and legacy medical device products and business model. Our team of passionate MedTech experts have developed a medical device specific cybersecurity portfolio, certified with ISO 13485-2016 and created tailored advisory services to meet the challenges medical device manufacturers face.
Your trusted medical device cybersecurity partner
Voted the ‘Best Cybersecurity Company’ for three years running, our comprehensive portfolio
of cybersecurity solutions, built over five decades, is tailored specifically for the needs of MedTech.
Coupled with our advisory services, it will ensure your devices are ready for market approval.
Providing cybersecurity solutions for each stage of the lifecycle of your medical device
Our business is ISO 13485-2016-certified, and we are ready to protect your medical devices, renew your device security and empower your future innovations.
Protect your medical device
Build secure medical devices with our trusted technology and advisory solutions for full regulatory compliance from day one.
Our technology and advisory solutions include:
- Advisory services: Ensure robust security capabilities, prepare for comprehensive audits and conformity assessments and address all security-related deficiencies.
- Software security controls: Mitigate risks and ensure advanced protection from adversarial attacks with solutions from our portfolio of proven cybersecurity technologies.
- Managed cryptographic services:Rapidly deploy full cryptographic capabilities with our managed PKI suite. Our commitment to quality is evidenced by ISO 27001 certification.
Renew your device security
Enjoy long-term renewable security for new and legacy devices with our solutions tailored to both monitor and remediate vulnerabilities.
Our solutions for renewable security include:
- Recurrent testing: Strengthen your security practices with our robust, comprehensive Penetration Testing services and standards-based Security Risk Assessments.
- Threat model Medtech vulnerability management: Leverage a quality process friendly security risk management solution using our purpose-built platform for medical device manufacturers.
- Renewable security for devices: Expand your ability to patch existing and legacy devices using our patented Whitebox solution. Easily integrate it with our managed PKI suite.
Empower your medical device business
Increase transparency and accelerate innovation with our business enablement solutions, ensuring your IP and fielded devices are secure.
Our secure business enablement solutions include:
- User level security controls: Prevent unauthorized use of your devices and decouple user privileges from local systems while enabling new business models and features.
- Security risk clearing house: Empower your stakeholders with privileged security risk information delivered securely and seamlessly through our validated clearing house platform.
- AI/ML enabled medical device controls: Protect your IP, patient data and prevent adversarial attacks on the edge and in the cloud using our suite of AI/ML security controls.
What makes for an excellent cybersecurity partner to medical device manufacturers?
Our MedTech cybersecurity team consists of highly qualified healthcare and product security experts, backed by the original pioneer of white-box cryptography and a large global cybersecurity patent portfolio.
Frequently asked questions
How does cybersecurity factor throughout a medical device's product lifecycle?
Micro and Nanotechnologies, the nearly infinite expansion of software into everything and the almost zero cost of always on connectivity are leading enablers of innovation in the MedTech industry with massive potential benefit for society.
But these enabling technologies come with new risks: software has bugs, connectivity enables unwanted access and hardware can be programed to do things it wasn’t intended to do. In the heavily regulated medical device world, safety has also been the top consideration when developing a new medical device.
These new risks are not exactly safety risks in the traditional sense but rather security risks that impact safety and effectiveness. And so, in order to ensure the safety of patients and effectiveness of these new innovative devices, the medical regulatory bodies are expanding the required activities specific to cybersecurity, through the application of Security Risk Management.
This means that new or more substantive activities are required at each stage of the device lifecycle to ensure the secure design, operation and eventual decommissioning of all active medical devices. These activities include both process related items such as implementing a Security Risk Management Process, adopting a Secure Product Development Framework, conducting security risk and product security assessments as well as implementing technologies to serve as security controls and signal monitoring for new threats during the post-market stage of the product.
What is a Secure Product Development Framework (SPDF)?
The implementation of a Secure Product Development Framework (SPDF) is now an essential activity for manufacturers of active medical devices. For many manufacturers the reality will be that adopting an SPDF is simply an incremental improvement effort to their existing Quality System Regulation (QSR) compliant design processes.
For those unfamiliar to the SPDF term, the SPDF is similar in concept to a Secure Software Development Framework (SSDF) but encompasses all of the product components in addition to the software elements and, where relevant, takes into account the broader medical system the device interacts with.
For manufacturers currently exploring what the newly required activities are, the FDA has identified the Health Sector Coordinating Council Joint Security Plan as an ideal starting point. This guidance advising the adoption of SPDF is further evidence of the regulatory push towards more advanced cybersecurity practices.
At operational level, an SPDF adds new processes into the premarket stages of the device lifecycle. Some of the key premarket activities are threat modeling from the initial concept stage, conducting product security risk assessments, specifying lifecycle security requirements, specifying security controls and evaluating the software supply chain and ensuring manufacturing processes are secure.
Many of the premarket activities can also be categorized as employing a ‘security-by-design’ approach. During the qualification stage these activities include security testing in addition to traditional verification and validation.
In the post-market, activities include continuous monitoring for vulnerabilities and threats, ensuring robust patch management, ensuring processes for incident management and response and support for end of life. An all-encompassing approach that involves various stakeholders will provide a more robust defense against potential cyber risks.
What is Security-By-Design?
Security-by-design in medical devices is a proactive approach to applying security principles into the product design. It means considering potential threats, vulnerabilities, and security controls from the onset. The approach helps the design team make use of the best technology without compromising security and eliminates the risk of having to implement major revisions when approaching pre-market submission.
Regarded as industry best practice, it is increasingly being advocated by regulatory authorities, including the FDA.
Where does the concept of ‘state-of-the-art' come from and what does it mean?
The concept of ‘state-of-the-art’, as used in the context of the European Union’s Medical Device Regulation (EU MDR), encapsulates the concept of building products capable of ongoing technological improvement using the most current development standards and the best practices in the industry.
Medical devices, which usually possess a longer lifespan compared to various other technologies, are expected to uphold the most current and effective practices. Even if these practices are not explicitly mandated, their implementation may be thoroughly examined by authorities.
What are the main cybersecurity medical device requirements that I should know of?
In the MedTech device segment, market access is governed by legislation that establishes both regulatory agencies and schemes to ensure the safety and effectiveness of the devices.
In the United States, the Food and Drug Administration is the government agency which defines the policy and requirements, while in the European Union (EU) the EU council has developed a more federated scheme using the Conformity Assessment (CE Mark) approach through the Medical Device Regulation (MDR-2017) and the Competent Authority/Notified Body system.
While both large markets have different regulatory pathways, many of the activities relating to cybersecurity are quite similar and will continue to be harmonized over time through the evolution of ‘state-of-the-art’ practices and the efforts of industry bodies like the International Medical Device Regulators Forum (IMDRF).
With such significant regulatory complexity, there is no simple list of requirements that clearly lays out everything that must be done. Rather, there are different types of documents that define the cybersecurity standards (AAMI SW 96, UL-2900), guidance documents (FDA Premarket Submissions/IMDRF WG 60/MDCG 2019-16), legislation pertaining to data usage and protection, the application of risk management and medical device specific software development standards.
The US and EU markets are governed at their highest levels by the following regulations:
- The EU market: Medical Device Regulation of 2017 and Invitro Diagnostics Regulation of 2018
- The US market: Code of Federal Regulations Title 21 FDA
Both markets are, however, advancing toward unified standardization, led by state-of-the-art practices and industry bodies.
What is ISO 13485 and how does it impact the development of medical devices?
ISO 13485 is an internationally recognized standard for quality management systems in the medical device industry. It is used by organizations involved in the design, production, installation and servicing of medical devices and related services. The standard is used by internal auditors and external parties, such as certification bodies, to determine conformance. In addition, obtaining ISO 13485 certification is often seen as a mark of quality assurance, making it a key requirement for many customers and vendors.
What are the responsibilities of the Health Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) for maintaining secure devices?
Both Health Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) share responsibility for medical device security. HDOs are accountable for maintaining secure networks, implementing patches, and ensuring device operation within a secure environment.
On the other hand, MDMs are obligated to ensure they produce and sell secure devices, regularly monitor and manage vulnerabilities and maintain security throughout the device lifecycle.
The industry has also developed a Joint Security Plan to help better define the stakeholder responsibilities.