Expert Cybersecurity for Medical Device Compliance

Helping start-up, small and medium size medical device manufacturers define and implement compliant cybersecurity solutions

Hammerhead Cybersecurity team: expertise you can trust

Hammerhead’s cybersecurity experts have a combined 40+ years of experience in cybersecurity, risk management, military leadership and operations, finance, and medical device security and quality/regulatory assessments.

In addition to Cybersecurity testing and Cybersecurity program expertise, we have experts in software development and software validation/verification, software compliance, regulatory submission strategy and quality, ready to work with your team in any capacity. We can supplement your staff or perform 100% of the cybersecurity activities.

The Hammerhead team can perform all the necessary testing at our own Hammehead Lab or we can work with a client's lab of choice.

Cybersecurity Risk Management

  • Confidentiality, Integrity, and Availability – Assess the device and its operation with the CIA triad in mind – is the device’s/patient’s data protected and confidentiality is ensured; is the integrity of the data preserved; and is the data available when/how needed for patient care management.

  • Threat Entry Points – identify/review potential threat entry points into the device and collaborate on creating a documented threat model.

  • Existing Controls – Identify all current cybersecurity controls and assess their adequacy based on the level of connectivity of the device to the various networks.

  • Data Flows – Identify how data flows through the device and into any other devices or networks it is connected to, and how the data flows in the system impact the security of the device and the need for controls/mitigation.

  • Use Cases – Review all identified planned use cases for the device and assess each use case for potential vulnerabilities.

  • Atypical Use Scenarios – Identify potential atypical use scenarios where a user might use the device in an unintended manner and develop a list of potential vulnerabilities resulting from a willful or accidental misuse and recommend controls/corrective actions.

  • · Interoperability of devices: Review/Assess the product’s ability to integrate safely and securely with other systems and networks, as expected during its anticipated lifecycle, focusing on importance of seamless interoperability in maintaining cybersecurity.

  • · Third-Party Software Components: Review/Assess the presence of third party software or libraries for introduction of security vulnerabilities and make recommendations for mitigation of associated risks.

  • · Impact of Unresolved Anomalies: Assess any identified unresolved anomalies, understand potential impact on the device’s cybersecurity posture and make recommendations for remediation, as necessary.

As part of the risk assessment process, review/assess or assist the client with the following:

  • Cybersecurity Requirements Map – Review a submitted map, or develop a map all security requirement to a control

  • Standard Operating Procedures: Provide assistance or guidance for creating/ refining SOPs for cybersecurity processes.

  • Software Architecture: Assess the device’s software architecture for potential cybersecurity vulnerabilities.

  • Cybersecurity Labeling: Review/Assist with developing user information documents to comply with FDA requirements to provide users with security features and risks and supporting safe and effective device use through transparent, user-friendly documentation.

Cybersecurity Services

Cybersecurity Risk Management Plan

Review and assess, or assist with developing, depending on client needs, a strategic outline to monitor and identify post-market cybersecurity vulnerabilities and threats; understanding potential exploits, and the processes for addressing them. This includes a communication plan to disclose and remediate identified vulnerabilities, as mandated by the FDA.

Cybersecurity Risk Management Report
Additional Services

Provide the client with a comprehensive view of the device’s cybersecurity risk. This report summarizes all findings from cybersecurity risk assessments, penetration testing, and any other assessment/testing/survey conducted on the product. It includes discussions of overall risk management, provides subordinate documentation on risk assessments, interoperability considerations, potential for third party software as well as unknown origin software vulnerabilities; as well as vulnerability introduction via proper or improper operation of the device, and any recommendations for mitigating device vulnerabilities.

  • SOUP (Software of Unknown Pedigree) Assessment: Assist the client with compiling a list of all SOUP items and assess potential for cybersecurity vulnerabilities. Provide recommendations for implementation of controls to mitigate vulnerabilities.

  • SBOM (Software Bill of Materials) Review: Review a Software Bill of Materials provided by the client to identify, document and track software components.

  • Fuzz Testing: Conduct fuzz testing to overwhelm the device with invalid, malformed, or unexpected inputs to reveal software security vulnerabilities.

  • Vulnerability Chaining: Using repositories of known vulnerabilities identify if any device vulnerabilities may be linked together by an attacker to gain greater access to data or network resources.

  • Closed Box Testing: Perform testing for potential vulnerabilities without prior understanding of the software code or architecture.

  • Penetration Testing: Perform a thorough White Box penetration testing to examine the device’s internal structure, code, logic, and algorithms and identify security vulnerabilities.

  • Cybersecurity Documentation for FDA Submission: Assist the client/Review/Prepare documents as part of the client’s FDA submission packet to validate the current state of the device’s cybersecurity posture, any implemented controls, or justifications for why such controls are not applicable.

  • Threat Model: Assist the client with developing potential threats using data flow diagrams and threat tables, assessing the system and environment, and establishing a risk rating matrix.

  • TPLC (Total Product Life Cycle) Cybersecurity Risk Management: Outlines a lifecycle approach to managing cybersecurity risks, from identification and assessment through to mitigation and documentation updates.

  • Metrics: Review/develop key metrics for tracking and managing vulnerabilities, for example: timelines for updates and patching, to assess effectiveness of cybersecurity controls and measures.

  • Security Architecture Views: Review/Assess/Develop a documented view of the security architecture of the medical device.

Cybersecurity Controls

Evaluate the efficacy of implemented/planned cybersecurity controls and recommend improvements to existing controls, or new controls, as necessary. Security controls should include controls from the following categories:

  • Authentication

  • Authorization

  • Cryptography

  • Code, Data, and Execution Integrity

  • Confidentiality

  • Event Detection and Logging

  • Resiliency and Recovery

  • Updatability and Patchability

Meet our team

Natasha holds a bachelor's degree in IT and software development, and has extensive experience in verification and validation, QA and design assurance and risk management in the medical device industry. She has held numerous leadership roles in Quality Assurance and has owned a consulting firm for the last 15 years, helping medical device companies in remediation and compliance activities. 

Milada Copeland

Natasha Overbo

Milada holds a BS in Biology, MBA, BS in Computer Management and Information Science, MS in Strategic Studies, and MS in Cybersecurity. Milada retired from the Utah Army National Guard after a 32-year full-time career. She served as the CIO and Chief of Staff of the Utah Army National Guard. She followed her military career with a career as a CISO in the financial management field.

© 2024. All rights reserved.

952.797.2287

info@hammerheadcyber.com