Vendor Services

MEDSEC

Dedicated to securing medical devices and medical ecosystems

MedSec is a unique worldwide company with a team of highly technical cybersecurity experts dedicated to securing medical devices and equipment.

Device Cybersecurity Risk Assessment

Meet the FDA's premarket cybersecurity guidance by conducting a cybersecurity risk assessment with MedSec. As of 2014 a cybersecurity risk assessment is an expected part of a FDA 510k filing, our cybersecurity experts conduct our cybersecurity risk assessmet using the AAMI TIR-57 methodology. This is a an FDA approved and recommended methodology for conducing cybersecurity risk management, that closely parallels ISO 14971 for easy integration into your current risk management approach. A cybersecurity risk assessment consists of several stages, MedSec is able to perform any and all of these steps, to produce documents ready for your 510k filing.

Steps of a Cybersecurity Risk Assessment:
  • Threat Model
  • Vulnerability Assessment
  • Impact to the system
  • Impact to harm
  • Calculate Risk Score

Vulnerability and Penetration Assessment

Our team of cybersecurity experts can perform a Vulnerability Assessment or Penetration Test on your medical device, or medical device ecosystem. Because MedSec specializes in medical devices, we understand the unique regulatory environment, operating environments, and use cases. This knowledge helps guide us in our development of attack strategies and assessment plans. We are comfortable doing Blackbox, Whitebox, or Greybox testing.

MedSec is an approved vulnerability assessment vendor of the Mayo Clinic. If you are planning to sell a device to the Mayo Clinic and need a vulnerability assessment conducted, its important to choose a vendor who has been vetted and approved.

Vulnerability remediation, and system design review

The Introduction of security mechanisms into an system can prove extremely costly if done incorrectly. In an effort to reduce medical device vulnerabilities, a manufacturer must introduce new security controls. Without the appropraite security expertise this can proove a challenge. The MedSec team has expertise in a wide variety of cybersecurity domains, and can assit in the development of new cybersecurity controls, or the review of an existing design.

Key areas of remediation and review:

Vulnerability patching

Custom-developed software patches to secure embedded operating systems and software running on unsupported systems.

Integrity protection

Protection of software, hardware and firmware, via the design and integration of industry-standard and custom anti-reverse engineering, tamper-proofing, with trusted computing solutions.

Device authentication solutions

Best practice and custom design and integration of multi-factor device and user authentication capabilities.

Data integrity and privacy protection

Selection and implementation of best-practice cryptographic solutions, including secure RF protocol optimization.

SDLC

Evaluation, recommendations and implementation of SDLC methodologies.

Cybersecurity Governance, Process, and Quality System compliance

A key component of addressing cybersecurtiy in medical device design, is the creation of processes, proedures, and quality system integration. MedSec has experience integrating all aspects of cybersecurity into a device manufacturers processes.

MedSec’s partnership with device manufacturers provides re-designed or new, robust and mature security programs allowing assured continued safety to patients throughout the entire device and system design, build and support lifetime. Whether its cybersecurity baseline requirements, cyberseurity risk assessment, legacy device risk management, or product incident response, the MedSec team can help you develop a program that works for your culture and current processes.

If you've already got a start, MedSec can perform a gap assessment, to understand where you're coverage is good and where it needs addressed.