Cybersecurity is central to the safety and efficacy of medical devices. Regulatory bodies, including the FDA, now expect medtech firms to embed security into every phase of their product’s lifecycle. Velentium Medical, through its cybersecurity services, supports medical device firms in meeting these requirements.
To illustrate the cybersecurity process in practice, Velentium Medical developed a fictional medtech firm, AcmeStim Systems. This AcmeStim case study demonstrates the artifacts, testing, and governance needed to satisfy FDA expectations under the latest guidance.
Cybersecurity Lifecycle Overview
Velentium Medical organizes cybersecurity services into four core areas:
- Security governance: Embedding medical device security into company-wide practices and quality management systems.
- Pre-market cybersecurity: Focused on ensuring a device meets FDA submission requirements.
- Post-market cybersecurity: Maintaining device security throughout its use in the market through end-of-life.
- Product security training: Developing and empowering internal teams. Velentium Medical cybersecurity services include documentation templates to accelerate the process and customized consulting support to ensure flexibility to meet each medtech firm’s specific requirements.
The FDA’s Cybersecurity Expectations
With the introduction of eSTAR, the FDA’s electronic submission system, twelve key cybersecurity artifacts are required for 510(k), de novo, and PMA submissions:
- Security risk management plan
- Threat Modeling and Security Architecture Report
- Cybersecurity Risk Assessment
- Cybersecurity Controls Report
- Software Bill of Materials (SBOM)
- SBOM Support Report
- Software Component Risk Management Report
- Cybersecurity Labeling Report
- Cybersecurity Metrics Report
- Cybersecurity Testing Report
- Unresolved Anomalies Risk Management Report
- Security Risk Management Report
Case Study: AcmeStim Systems
AcmeStim developed a neuromodulation implantable pulse generator (IPG) system. The system includes:
- Clinician Programmer
- Cloud Supported
- Data exporting, logging, and monitoring
To prepare for submission, Velentium Medical guided AcmeStim through the cybersecurity process.
Governance
Velentium Medical provided AcmeStim with Standard Operating Procedure (SOP) templates for Secure Product Development, Coordinated Vulnerability Disclosure, and Incident Response. Over several working sessions, these templates were modified to fit AcmeStim’s use case, company size, and specific needs, and they were incorporated into the company’s QMS. Now AcmeStim’s processes are compliant with IEC 81001-5-1, NIST SP 800-218 SSDF, ANSI/AAMI SW96, and other important standards and frameworks.
Security Risk Management Plan
This foundational document defined roles, timelines, and goals. It also described AcmeStim’s secure product development framework (SPDF) by referencing and summarizing the above QMS structures. It was important to ensure that the Security Risk Management Plan included plans and procedures for the total product lifecycle, including premarket and postmarket phases.
Security Requirements
Security requirements become design inputs that are independent and agnostic of the implementation. There can be system level and product level (software requirement specifications) security requirements.
We will trace a single requirement throughout the product security process:
- System Requirement: “All critical operations shall be authenticated.”
- Software Requirement Specification: “The software shall uniquely authenticate users.”
Security controls then define specific implementation details to assure that the medical device design meets the security requirements.
In the case of the requirements above:
- Authenticating users based on a username and password that meets a specific password policy.
- Enforcing multi-factor authentication.
Security controls will formally be defined and evaluated in the Threat Model and Cybersecurity Risk Assessment, which may necessitate updates to requirements following the next steps.
Threat Modeling and Security Architecture Report
Threat modeling involved analyzing representations of the system to identify potential security weaknesses and generate controls to mitigate the potential issues in the system’s design. STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege), attack trees, and kill chains were used to identify design and process weaknesses. Mitigations were defined and documented in security architecture and use case views.
Key outputs included:
- Identification of potential vulnerabilities (e.g., spoofing the clinician programmer, disclosing sensitive data)
- Definition of mitigations (e.g., user authentication details, encryption)
- Security Architecture Views (global, multi-patient harm, updateability/patchability, and security use case diagrams and descriptions)
Cybersecurity Risk Assessment
Velentium Medical applied a modified CVSS version 2 rubric for scoring security risks before and after mitigations were applied. Doing so allowed AcmeStim to ensure their requirements and controls were sufficient and determine if any design weaknesses remained as residual issues in the system.
Cybersecurity Controls Report
This report summarized mitigations and controls, mapped to eight core categories from Appendix 1 of the FDA’s 2023 Premarket Cybersecurity Guidance, including:
- Authentication
- Confidentiality
- Authorization
- Event Detection and Logging
- Cryptography
- Resiliency and Recover
- Integrity
- Software and Firmware Updates
Software Bill of Materials (SBOM)
Two types of SBOMs were created:
- Human-readable: Lists of software components, versions, and suppliers
- Machine-readable: JSON/XML files in SPDX or CycloneDX formats
Tools like NetRise were used to analyze vulnerabilities via SBOMs and inform development decisions on the use of third-party software components in the system’s software and firmware.
SBOM Support Report and Software Component Risk Management Reports
An SBOM Support Report documented support status of all components contained in the SBOMs and mitigation plans for software that may become unsupported in the future. The Software Component Risk Management Report triaged known vulnerabilities and laid out corrective actions to mitigate known vulnerabilities in the final release of all software and firmware.
Cybersecurity Metrics Report
Additionally, postmarket updating and patching metrics to be tracked were planned for and designed around, such as the percentage of patched vulnerabilities in fielded devices. In the future, AcmeStim will have to monitor these metrics during any update or patch events.
Labeling and Communication
Cybersecurity information was incorporated into the Instructions for Use (IFU) and a Manufacturer Disclosure Statement for Medical Device Security (MDS2) was created to facilitate procurement processes with future customers. Transparent communication to end users and customers is key to robust and mature cybersecurity practices.
Security Testing
A combination of tools and expert-led testing validated security implementations:
- Attack Surface Analysis of the System
- System-wide Penetration Testing by experienced, independent, objective, and qualified experts
- Static Analysis using SonarCloud tooling
- Mobile app testing using NowSecure Platform and Workstation tools
- Fuzz Testing using Keysight IoT Security Tools
- Web API testing using 42Crunch
Summary reports were generated for each form of testing, and findings were consolidated into an overarching Cybersecurity Testing Report.
Unresolved Anomalies Risk Management Report
Following Verification and Validation activities, Velentium Medical evaluated all software bugs for potential security impact and documented the results in a formal artifact.
Final Documentation and Traceability
The Security Risk Management Report traced design vulnerabilities to mitigations, requirements, and testing. Residual risks were documented and justified with benefit-risk assessments, and deviations from the Security Risk Management Plan were described (if applicable). Additional summaries, including how devices are guaranteed of integrity and being delivered malware free, as well as discussions of updating and patching processes, were included.
Common FDA Submission Deficiencies
Velentium Medical noted several areas where manufacturers often fall short:
- Incomplete traceability
- Improper SBOM formatting
- Insufficient testing or independence of the testers
- Insufficient control or risk assessment details
Key Takeaways for Manufacturers
- Start early: Engage security experts during the design phase
- Document everything: From requirements to testing results to postmarket processes.
- Think long-term: Cybersecurity extends beyond product launch.
- Partner wisely: End-to-end services streamline compliance.
- Be proactive: Build a culture of security, not just a checklist.
Conclusion
Medical device cybersecurity is no longer a future challenge—it is today’s necessity. With the right strategy, tools, and partners, companies can meet FDA requirements efficiently while building safer, more resilient products. The AcmeStim example underscores the value of embedding cybersecurity throughout the product lifecycle.
Velentium Medical Medical’s comprehensive approach offers a scalable, proven path to regulatory approval and lasting device security. Their end-to-end support model and deep expertise empower manufacturers to confidently navigate the complex landscape of cybersecurity compliance.
