MedCrypt, Inc. has announced its partnership with Stratigos Security. Together, they offer a suite of third-party assessment and advisory services, with specialized penetration tests for medical device makers to assure the safety and effectiveness of their devices.
In March 2023, the Food and Drug Administration (FDA) announced that beginning October 1, 2023, it will “refuse to accept” medical devices that fail to meet cybersecurity requirements, further highlighting the need for developers to design and maintain products that align with the FDA’s pre- and post-market guidance.
Conventional penetration tests are a poor fit for assessing medical device safety and effectiveness risks. The MedCrypt-Stratigos partnership provides specialized penetration testing specifically designed for medical device manufacturers. These specialized tests simulate attack techniques to identify reasonably foreseeable cybersecurity issues, providing a vital source of evidence to inform risk management. The results and reports are clear, practical, and can be submitted for regulation, making it easier to bring the devices to market and reducing post-market problems. Mature organizations build these tests into their product development framework from the outset, continuing through the lifetime of the device.
“We are excited to team up with Stratigos,” stated Mike Kijewski, CEO of MedCrypt. “It is imperative for device makers to have access to world-class testing resources. Through our partnership with Stratigos, device makers can rely on our combined expertise and insights to ensure the security and integrity of their critical medical devices.”
This partnership provides manufacturers with pertinent identification of vulnerabilities and potential risks to patient safety and data privacy, offering independent evidence to regulators and third parties through regulatory-ready pentest reports. MedCrypt’s comprehensive cybersecurity offerings satisfy the FDA’s and global regulators’ secure product development framework requirements, ensuring healthcare organizations comply with regulations and proactively approach medical device cybersecurity.
“Our team of experienced cybersecurity experts, combined with MedCrypt’s deep understanding of medical device security, enables us to deliver comprehensive and effective penetration testing and security assessments that are tailored to the unique requirements of medical devices. We are committed to helping healthcare organizations mitigate cyber risks and safeguard patient safety,” said Beau Woods, the CEO of Stratigos Security.
Key members in this initiative are:
- Beau Woods, CEO of Stratigos Security and the co-founder of the Biohacking Village: Device Lab at DEF CON (the world’s biggest hacking conference). Additionally, Beau served as an Entrepreneur in Residence with the FDA, Senior Advisor with the US Cybersecurity and Infrastructure Security Agency (CISA), and has published works as an author and co-author.
- Naomi Schwartz, senior director of quality and safety at MedCrypt. Her background includes working at the FDA to evaluate software and cybersecurity for the world’s first regulated Automated Insulin Delivery (AID) System and developing Class II regulatory pathways for the three major components of AID systems, a game-changer for supporting patients with insulin-dependent diabetes.
- Seth Carmody, vice president of regulatory strategy at MedCrypt. Prior to MedCrypt, Carmody worked as the Cybersecurity Program Manager in the Office of the Center Director, Emergency Preparedness/Operations and Medical Countermeasures, within the FDA’s CDRH.
- Paulino Calderon is co-author of Practical IoT Hacking, Paulino has developed open-source hardware and software tools such as Nmap (one of the top security tools), DICOM fuzzing libraries, CatSniffer, and OWASP IoT Goat.
- Lukas Kuzmiak specializes in complex systems testing, from large networks to wearable devices including hardware and firmware security for embedded systems with an emphasis on communication layer and custom protocol analysis.
- Michelle Thompson specializes in embedded systems testing, including communications protocol testing, hardware security testing, privilege model analysis, and firmware review.