Cybersecurity services for Medical devices

FDA and AAMI TIR57 Compliant

Medical device vulnerability is a result of modern medical devices becoming more connected. They are connected to local databases, the cloud, and to patients' smart phones. The need for effective cybersecurity to ensure safety has never been more critical, as cybersecurity incidents have rendered medical devices and hospital networks inoperable. Regulators are giving cybersecurity their highest scrutiny during submission review. Our solutions are NIST Cybersecurity Framework compliant, and our risk management documentation is AAMI TIR57 compliant.

Premarket Cybersecurity Activities

Promenade Software Security Experts can help you with appropriate cybersecurity activities for your device. Using a risk-based approach, several options are often available to mitigate the determined risks, and your device-specific technologies will be used to determine the best fit for you. We will help you:

  1. Ensure best-in-class user and device authentication, content integrity, and confidentiality of data, ensuring defensible in-depth security.
  2. Perform a Risk Analysis, identifying and documenting the risks from your device's potential threats and vulnerabilities.
  3. Generate the necessary submission documentation for the FDA, including Cybersecurity Design documentation and Risk Management documentation.
  4. Generate the documentation package per the EU MDR MDCG 2019 - 16 Guidance for Cybersecurity in Medical Devices, showing a Defense-in-Depth Design Strategy.
EU MDR Medical device regulation European Commission logoFDA logo
Green circle with a Lock

Cybersecurity Design Controls

Promenade Software Services use state-of-the-art security practices from the cloud and financial industries, and incorporate them into prebuilt solutions for medical devices. The controls include best practices such as:

  1. Private/Public key infrastructure for secure device authentication
  2. All communications over secure TLS tunnels
  3. State-of-the-art encryption using RSA or Elliptic Curve Cryptography
  4. Easy certificate revocation in case of a breach 
  5. Secure remote service and authenticated cloud updates

Cybersecurity Risk Management
Threat Modeling and Risk Analysis

Promenade Software Services include assistance with your system-level threat model and security risk analysis compliant with AAMI TIR57. We will help you identify vulnerabilities and identify ways that a threat can cause a loss of security properties for the device . Below are the factors that we help identify and document for you.

  1. Asset Identification - Identify any asset or interface that could be manipulated by an attacker. Assets include the patient data, the device and associated components (cartridges), and device software.
  2. Identification of Adverse Impact - For each asset, evaluate the impact that loss of confidentiality, integrity, or availability
    might have on safety and effectiveness of the device or data/system security.
  3. Identification of Vulnerabilities/Attack Vectors - Analyze and document known and potential vulnerabilities by looking at component interfaces and communication pathways as potential attack vectors.
  4. Identification of Threat Sources - The source of threats can be adversarial and non-adversarial. For adversarial, what level of sophistication is required?
  5. Threat Assessment - Determine the potential threat and scenario, using the collected information of assets, impacts, attack vectors, and threat sources.
  6. Risk Analysis - Calculate the risk and establish risk mitigations where appropriate, using the collected threat information.
Office worker with headphones, laptop and two monitors

Cybersecurity Bill of Materials (CBOM)

The Cybersecurity Bill of Materials (CBOM) is a list of software components included in the device (including open source libraries and OTS software) that could be susceptible to vulnerabilities. The FDA considers this list a critical element in identifying assets, threats, and liabilities. Promenade can help you:

  1. Run the CBOM through the National Vulnerability Database (NVD), generating a list of known vulnerabilities of your device.
  2. Provide criteria for addressing, or rationale for not addressing, the list of vulnerabilities.
  3. Provide support for on-going vulnerability-monitoring, postmarket.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485, and CypherMed Cloud is SOC2 Type II certified.

© 2022 Promenade Software, Inc.