Questions? We can help.

Medical Device Cybersecurity for Network Connected Software and Devices

ANSWERED ON THIS PAGE:

  • What kinds of medical devices are vulnerable to cyber threats?
  • What are the FDA’s cybersecurity requirements for medical devices and software?
  • Why should we perform cybersecurity assessments for our devices?

Medical devices face a “perfect storm.” Hackers are becoming increasingly sophisticated and the number of devices connecting to the internet or other networks is growing exponentially. As a result, cybersecurity threats are a major concern for medical devices. A breach can compromise patient data or software, as well as the performance of life-critical devices including infusion pumps, ventilators, and pacemakers. Yet, the pressure to speed up market entry means cybersecurity testing often happens after market introduction or not at all.

As device regulators recognize the risks of cyber-attacks, cybersecurity is becoming a regulatory imperative for device manufacturers who want to ensure timely clearance. Emergo can provide cybersecurity testing and evaluation early in the product development stages and help you meet the expectations of regulators and end customers such as healthcare Group Purchasing Organizations (GPO).

Cybersecurity risk assessments and pen testing to reduce risk and avoid regulatory delays

Many device manufacturers wait until their product is on the market to perform cybersecurity risk assessments. But the best way to mitigate threats to your device is to take steps toward cybersecurity early in the design process. We can perform the following assessments to ensure your company and products are prepared for cybersecurity threats in the market:

  • Organizational readiness assessment: Includes an on-site gap assessment to determine if gaps exist between the overall organizational processes and current regulatory guidance, requirements of the UL 2900 cybersecurity standard or other cybersecurity technical specifications, if desired.
  • Security risk assessment: We can support you in the development of a threat model for your device or by supplementing your device risk management procedures to include risks associated with security.  We can help you identify, inventory and evaluate risk controls identified in the cybersecurity risk analysis against commonly-accepted risk control requirements, including those in UL 2900.
  • Gray box/black box penetration testing: Our security engineers execute targeted exploits against identified (or unidentified) vulnerabilities in the code and deliver a report of the product response.

Medical device cybersecurity documentation for US FDA 510(k) submissions and Additional Information (AI) responses

In October 2014, the US FDA issued a guidance document entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. This guidance addresses specific recommendations regarding documentation that should be included your 510(k) submission, including a list of all cybersecurity risks considered in the design of your device and a corresponding list of controls that were implemented to address those risks.

We can prepare your FDA 510(k) documentation (link to Emergo 510k page) to ensure it follows FDA pre-market cybersecurity guidance and/or review your existing documentation. We can also help prepare your response if you receive an FDA Additional Information (AI) letter regarding cybersecurity measures.

Medical device cybersecurity compliance consulting

Our technical and regulatory consultants are experts in medical device cybersecurity compliance in the US and in markets worldwide. We can provide cybersecurity consulting at every stage of the process, from device testing to regulatory documentation preparation. Here’s how we can help:

  • Assess software vulnerabilities and weaknesses early in the design process using penetration testing, malware testing, binary/byte code analysis, static code analysis, fuzz testing, and security controls testing.
  • Provide audits, assessments for cybersecurity compliance, and support to FDA guidance, as well as for cybersecurity recommendations and requirements in other global markets.
  • Train your employees in cybersecurity product design and sourcing third-party vendors and components.
  • Prepare risk documentation related to cybersecurity and FDA cybersecurity guidance.

Cyber-threats are costly and, in some cases, dangerous. Emergo can help you take steps to reduce the risk of a cyber-attack.

Ask us for detailed information about cybersecurity consulting services.

Learn about the process, costs and timelines.

Request More Information

{{ phone }}

See list of all offices

Common medical device cybersecurity questions

In order to achieve FDA approval, are we required to comply with FDA guidance on cybersecurity for our device?

No. FDA guidance documents are advisory in nature and do not have the force of law. However, guidance does reflect current FDA thinking and failure to comply with their recommendations can derail a 510(k) submission. Therefore, to ensure ongoing patient safety and a smooth 510(k) clearance process, compliance with the recommendations contained in FDA cybersecurity guidance documents is highly advisable.

Does FDA require certification to UL 2900 cybersecurity standards?

Certification to UL 2900 is not required for FDA clearance. The UL 2900 set of standards were designed to align with current FDA pre- and post-market guidance for cybersecurity. They have been recognized as consensus standards by the FDA since August 2017.

What is the difference between white, gray, and black box penetration testing?

A penetration (or “pen”) test targets weaknesses in your product code that may be vulnerable to cyber-attacks. In a white box pen test, the engineer performing the test is aware of potential weaknesses and the details of your specific implemented security risk controls. White box, or Structured Pen Testing exercises the robustness of your security risk controls and provides objective evidence that your design is resistant to security threats.  In a black box pen test, the engineer simulates bad actor, or “hacker” behavior who may not have specific details on the design of your product. In a black box pen test, our security engineers will perform reconnaissance to gather information and then will execute a brute force attack on your device, without knowledge of identified weakness. A gray box pen test employs a combination of white and black box methods.