Medical Device IT Security

Medical Device Cybersecurity

Design, develop, and ship secure medical devices that protect patients and meet modern regulatory requirements.

Overview

New Era of Medical Device Risk

Medical devices are more like personal computers, mobile devices, and consumer IoT than ever before. Increased connectivity of these devices has shifted the industry from purpose-built embedded hardware to software with cloud connectivity or commercial-off-the-shelf components. As a result, threat actors are focusing more on medical devices and employing common vulnerabilities with significantly greater impact to patients and environments.

In response, an increase in global cybersecurity regulation of both premarket approval and postmarket management requires new and extensive cybersecurity operating procedures, evaluation, testing, and traceable documentation.

Talk to an advisor

Regulatory Required

For regulators, minimize time-to-market delays. With global expertise across hundres of devices-types and submission, our extensive expertise provides all the cybersecurity support you need during premarket design, testing, and submission.

Customer Necessity

For customers, prove through evidence and documentation that your medical devices are designed securely and will stay secure post-market.

With third-party products and software increasingly causing impacts to customer environments, medical device manufacturers are asked to evidence that security as designed into the product and will continue to be maintained.

Why Level Nine

10+ Years Experience Helping Medical Device Manufacturers Meet Cybersecurity Requirements

We’ve assisted hundreds of products and interfaced with global regulators in response to questions or concerns around the globe.

Our mission is to ‘be part of the team’ and ensure the product has been designed for cybersecurity success. IIn order to meet global regulatory guidance Level Nine provides all cybersecurity activities required for regulatory success through premarket design, development, testing, and postmarket management.

Are you ready for the new medical device 542b?

Learn more about 524b

Sell to the DoD/DHA through Authority-to-Operate (ATO)

Level Nine’s experience assisting medical device manufacturers with sales and customer security concerns is rooted in Authority-to-Operate (ATO) process experience with the toughest customer in the world. Level Nine understands the cybersecurity posture necessary to meet DoD standards, enabling manufacturers to sell to the federal government.

A group of doctors collaborating on laptops around a table

Regulations

Meet Global Medical Device Cybersecurity Regulation

Do it right the first time, for all markets

Starting in 2014 the US FDA released premarket guidance for cybersecurity and further introduced an update in 2023 with expansive additions. The US FDA release postmarket cybersecurity guidance in 2016 that remains in effect today.

In the EU, 74/2017 (MDR) and 746/2017 (IVDR) called the Medical Device Regulations are requiring all medical devices sold in the EU be recertified to enhanced cybersecurity standards. TheMedical Device Coordinating Group (MDCG) provided guidance for meeting the EU Medical Device Regulation (MDR) as it pertains to cybersecurity (MDR MDCG 2019-16).

China (CFDA) Cybersecurity Law (CSL) is the administration of medical devices in China, where as of 2018 medical devices must be assessed for cybersecurity protection under the Principles on Guiding Technology Examination of Medical Device Cybersecurity Registration (CFDA Guidelines).

Japanese regulation stipulates that, in addition to the conformity to the JIS T 2304 (IEC 62304), for medical devices connected to other IT devices and medical devices connected to the Internet, cyber security measures based on JIS T 81001-5-1 (IEC 81001-5-1) are required to reduce cyber security risks to acceptable levels. This new regulation was put into practice on April 1, 2023, with a one-year transitional period until March 31, 2024.

Get in touch

Get Faster Regulatory Approval by Meeting Premarket Guidance

Improper documentation will result in outright rejection

Meet global regulatory guidance the first time around by employing Level Nine cybersecurity services to execute all expected activities and fully document the results in the expected format for regulatory submission. Not executing all expected activities or properly documenting in a submission will result in questions from regulators seeking additional information, delaying submissions. Not providing documentation for key cybersecurity activities, will result in rejection by US FDA. Level Nine provides a complete solution for premarket cybersecurity of a product at a-la-carte and fixed annual costs, alleviating manufacturers and startups from the burden of executing cybersecurity activities that require expensive software and multiple full-time staffers.

Threat Modeling

Requirements Development

Cybersecurity Risk Assessment

Cybersecurity Failure Modes and Effects Analysis

Software Composition & Vulnerability Analysis

Software Bill of Materials (SBOM) Generation

Secure Code Analysis

SAST/DAST Scanning

Penetration Testing

Fuzz Testing

Robustness Testing

Security Views of Architecture

Security Verification & Validation

Security Risk Management Reporting

End of Life Security Planning

Meet the Evolving challenges of postmarket

Cybersecurity is ever-evolving and the approach unique

How a manufacturer continuously predicts, identifies, and mitigates potential cybersecurity issues in a fleet of products is a new and evolving process for product security teams that don’t traditionally operate in this fashion.
Each postmarket cybersecurity issue requires an assessment to assure regulators your device has appropriately evaluated cybersecurity threats, identified vulnerabilities, mitigated them to an acceptable level, and documented the entire process appropriately.

Get help with the process

Postmarket Activities

Get Proactive with Postmarket Cybersecurity

The 2016 US FDA Postmarket Cybersecurity guidance requires manufacturers to execute a variety of functions once a product is on the market and evidence that they possess the capability during premarket submission. Level Nine provides a complete solution for postmarket cybersecurity management of a product, alleviating manufacturers and startups from the burden of executing a postmarket program requiring expensive software and multiple full-time staffers.

Annual penetration testing
Monitoring for vulnerabilities in Software Bill of Materials (SBOM)
Vulnerability disclosure portal for customers to learn of security issues in the product
Vulnerability handling process to intake reported vulnerabilities from researchers/customers
Vulnerability Management process for evaluating vulnerabilities and their risk to the device
Rapid patching strategy for addressing issues quickly
End of life cybersecurity planning and customer notification

Talk to an Advisor

Authority to operate (ATO)

What is ATO in Medical Device Cybersecurity?

Medical devices sold to DoD or DHA facilities must meet ATO compliance to ensure the device isn’t a threat to the environment it may reside.

The ATO process is a series of operational and technical controls that are typical new and different from regulatory controls. Level Nine has experience evaluating devices for ATO compliance and assisting with the ATO process, working with DoD representatives to rationalize whether a product must possess a particular control, how it could be met, and what the plan may be to meet compliance in the future. Get support through the following process:

Assess

Assess the system at the stated DoD risk level.

Identify

Identify who the ISSO is and collaborate on behalf of the client.

Enumerate

Enumerate controls from eMASS that the client product has been assigned with (from ISSO).

Develop

Develop the System Security Plan (SSP), security assessment report (SAR), and plan of action and milestones (POAM or POA&M) for client with government templates and in collaboration with technical contact.

Scan

Perform initial scans as required (discovery, full plug-in, and config (STIG).

Insights

Get the Latest Security Insights

Our security experts regularly share insights and updates from the field.

View more insights

Cyber Health: Lessons for Cybersecurity from COVID-19

Cybersecurity Trends and Insights

Much has been written about how COVID-19 has impacted cybersecurity during 2020, from heightened cybersecurity threats to foundationally challenging business resiliency. However, there are other lessons for cybersecurity which are unnoticed or under-emphasized. Swiss...

“What Could Possibly Go Wrong?” Attending MDIC’s Threat Modeling Bootcamp

Cybersecurity Trends and Insights

Last week, the Medical Device Innovation Consortium (MDIC) held the first of two planned bootcamps where medical device manufacturers, health delivery organizations, cybersecurity subject matter experts, and the FDA came together to learn and discuss all things threat...

Threats and Solutions to Wide Body Area Networks

Architecture and Design, Threats and Vulnerabilities

The healthcare industry is under continuous attack with cybercriminals targeting poorly controlled medical devices (Schiano, Sharman, and McClean, 2018). In the first two months of 2018, 24 healthcare organizations reported data breaches affecting over 1,00 patients...

A doctor with a stethoscope working on a computer

Medical Device Cybersecurity Starts with Level Nine

Design, develop, and ship secure medical devices that protect customer data and meet all regulatory requirements.

Contact Us