This website uses cookies that are necessary to deliver an enjoyable experience and ensure
its correct functionality and cannot be turned off. Optional cookies are used to improve the page with analytics, by
clicking “Yes, I accept” you consent to this use of cookies. Learn more
Is your medical device FDA compliant following the new cybersecurity regulations?
Ensuring reliable and secure code is essential for medical devices.
We're committed to helping you achieve the highest standards of software security, meeting FDA requirements while enhancing innovative solutions by granting their robustness.
On March 13, 2024, the FDA updated its cybersecurity guidance for premarket applications in Section 524B of the FD&C Act. At ERNI, we excel in secure software development for healthcare, ensuring every phase meets top regulatory standards. This new guidance calls for proactive cybersecurity risk management, detailed threat documentation, and specific mitigations. We prioritise patient data security, risk of harm, and medical device security, setting our solutions apart. Trust us to deliver secure, reliable, and fully compliant medical software.
We emphasise the need to protect patient data, minimise patient harm risk and ensure medical device security. We guide you from the earliest stages of product development, assisting with threat modelling processes, risk analysis and establishing robust cybersecurity requirements, in line with the FDA's new guidance. Additionally, choosing the best architecture and frameworks is ingrained in our DNA.
When it comes to coding, it's crucial to pick the right frameworks, design a solid architecture and stick to high development standards. Equally important is ensuring that our testing meets strict security criteria. This approach is essential for achieving a high level of cybersecurity maturity in our solutions.
Deploying your solution safely is vital to prevent any leaks or exposure of sensitive information that could put your organisation at risk. It's also important not to overlook how you'll update your solution and handle security patches. These steps are sometimes forgotten, but they're a crucial part of keeping everything secure for the long haul.
Cybercriminals don’t care about how well you documented or coded your solution; they will try to break it by any means. Thinking like an adversary helps organisations figure out new ways to protect their applications and infrastructure before the “bad guys” do. Our approach ensures we find exposed patient data before hackers do, safeguarding sensitive information and maintaining compliance with demanding regulations.
Development of a custom solution for a secure connection between the insulin pump and the public cloud for medical data storage.
Migration and TARA risk analysis for the authentication process against Active Directory and access management to the web platform.
Code vulnerability analysis
Analysis of vulnerabilities in the medical environment
Testing application to check the security between web applications and their API. The main objective was to identify vulnerabilities and weaknesses of the system.
Design and definition of the security and risk analysis for a business application. Execution of offensive attacks to test the response to threats.
Is your medical device FDA compliant following the new cybersecurity regulations?
Ensuring reliable and secure code is essential for medical devices.
We're committed to helping you achieve the highest standards of software security, meeting FDA requirements while enhancing innovative solutions by granting their robustness.
We start by integrating secure design practices, utilising frameworks like .NET and Spring Security, or exploring Serverless development with AWS Lambda, Azure Functions and Google Cloud Functions. Additionally, we leverage patterns such as Service Mesh and implement JWT authentication to strengthen the resilience of our software architecture from the start.
Vulnerability assessments
We perform comprehensive vulnerability assessments through systematic reviews and scanning processes, identifying and mitigating security gaps in line with industry best practices.
Threat modelling
We use structured frameworks like STRIDE and PASTA to anticipate and neutralise potential threats before they become real issues.
Secure deployment
We deploy with confidence using automated pipelines that incorporate security checks and containerisation technologies like Docker, ensuring a consistent and secure environment across all stages.
SBOM
We maintain a comprehensive Software Bill of Materials (Third-party dependencies) for transparency and traceability to track and manage software components.
Penetration testing
Our pen-testing process involves ethical hacking techniques and scenario-based testing to proactively discover and fix security vulnerabilities, ensuring our defences are robust and effective.
Data flows
Mapping out data flows with meticulous attention, we ensure sensitive information is shielded every step of the way.
Update & patching process
Our update and patching process is systematic and timely to swiftly address vulnerabilities and keep systems resilient against threats.
Secure coding practices
Our team adheres to secure coding standards, informed by OWASP's Secure Coding Practices, to minimise vulnerabilities and fortify our codebase against attacks.
Red teaming exercises
We conduct red teaming exercises using a collaborative approach that pits our security experts against our own defences to test resilience and improve our incident response capabilities
Risk assessment
Using both quantitative techniques like FAIR and qualitative methods such as OCTAVE, we assess risks to prioritise and tailor our security measures effectively. We also leverage other straightforward frameworks like NIST Cybersecurity Framework, DREAD or TARA to provide comprehensive risk assessments.
Static & dynamic analysis tools
We utilise static analysis tools to scrutinise our code without executing it, catching security flaws early in the development process. Adding dynamic analysis with tools like OWASP ZAP and Burp Suite helps us test and secure our applications in real time, simulating attacks to identify runtime vulnerabilities.
Requirements creation
We craft clear and actionable security requirements based on industry standards such as OWASP Top 10 and NIST guidelines to build a strong foundation for secure development.
Communications security & protocols
We ensure secure communication by implementing protocols such as TLS and IPSec, and by using encryption libraries like OpenSSL to protect data in transit.
Security architecture
Designing with defence-in-depth in mind, we leverage proven architectural patterns like micro-segmentation and zero trust models to fortify the security posture.
Cryptography
We implement robust key management practices, utilising HSMs (Hardware Security Modules) and secrets management tools to safeguard cryptographic keys and sensitive credentials. In accordance with FIPS 140-3 regulations, we use approved cryptographic algorithms to ensure the highest level of security.
