Perform scalable and repeatable vulnerability scoring

We work with you to customize a vulnerability (CVE) triaging model for each of your devices that aligns with your device’s components and essential clinical functions. Get the Medcrypt advantage with a scalable, repeatable model to ensure the trustworthiness of your scoring methodology.

Contact us >

Custom vulnerability (CVE) triaging to meet your device’s needs

Our custom vulnerability triaging method provides scalability and repeatability while eliminating human error. You benefit from your engineers working on critical development efforts, enabling you to get to market faster.

See case study   >

Increased efficiency and ease-of-use

Our vulnerability (CVE) triaging methodology has proven to be easier to use than traditional error-prone scoring methods, while reducing reliance on human experts, and increasing efficiency.

Eliminate vulnerability scoring uncertainty

Relying on human experts, no matter how good they are, is not scalable or repeatable. This gives  you a biased understanding of your overall risk level, which in turn impacts your risk mitigation strategies.

Avoid FDA regulatory approval delays

Make strategic changes to your current risk mitigation strategies to maximize return on investment and reduce unexpected delays.
Ensure you understand the impact of recent regulatory changes included in the “PATCH Act”, as well as the likelihood that the FDA will flag your submissions for connected devices due to cybersecurity deficits.

Save potentially months of R&D opportunity costs

You want your engineers working on your company’s future, not feeling disengaged and bored manually rescoring vulnerabilities for months on end, which increases the risk of engineer attrition.

Eliminate unexpected delays & get to market faster

Get the benefit of a scalable, repeatable vulnerability scoring method to analyze and mitigate risk, ensuring patient safety and paving the way to FDA cybersecurity approval.

Increased return on investment

Make strategic changes to your risk mitigation strategies to maximize ROI & reduce unexpected delays. Our vulnerability scoring model reduced patient risk, and maintained or improved business outcomes, timelines, and scope.

CASE STUDY

Helping our customers succeed

Don’t just take our word for it. Our MDM client saved months of manual analysis using our vulnerability triaging model. This allowed for more time spent on the patch design and development efforts, which shifted patch decision-making earlier in the project schedule, thereby reducing impact on the critical systems engineering path and the amount of time devices in the field were left vulnerable.

Challenge: Predict current and future regulatory risk for legacy and next-generation devices

Problem: Lack of scalability and repeatability in rescoring CVEs

This MDM had thousands of vulnerabilities (CVEs) that had to be rescored from their previous Common Vulnerability Scoring System (CVSS) scores. They had to rely on their R&D engineers manually rescore thousands of Common Vulnerability Scoring System (CVSS) scores to determine risk and patching needs. This required hundreds of hours of manual analysis, was very costly, and kept engineers from working on other projects and deliverables. It also increased the risk of employee attrition, as this was repetitive work that could not easily be automated, resulting in an ineffective, inefficient, and error-prone approach.

Client’s original approach: Inefficient, manual rescoring
Although they had performed a current-state assessment of their legacy device, and identified risks and risk mitigation strategies, they knew that they had gaps in their cybersecurity architecture. They decided that they couldn’t afford to continue to ignore these potential vulnerabilities.

Because their method was based on individual human judgment, it was not scientifically sound and repeatable, thus they also ran the risk of the FDA deciding that their risk mitigation strategies were not sufficient, which would further impact their bottom line.

Our scalable, repeatable solution

Results:

Medcrypt’s CVE Triage model automated the scoring process, reducing months of painful, manual analysis time to just minutes -- with at least 90% accuracy! This automated model freed up R&D engineers to work on more strategic initiatives that would continue to propel the company forward.

Our client realized a drastic reduction in manual R&D labor and risk of attrition. Our model further reduced overall analysis time, allowing for more patch design and development effort. This also shifted patch decision-making earlier in the project schedule, reducing impact on the critical systems engineering path, as well as reducing the amount of time that devices in the field were left unpatched and vulnerable.

Vulnerability (CVE) triaging model:
We developed a vulnerability (CVE) triaging model for each of their devices, which was specific to each device’s components and essential clinical functions. Our model also enabled consistent application of policy and quality system requirements tailored to each device. We leveraged human expert judgment against the model’s judgment to iteratively improve the automation until they reached parity.

Meet our experts

Our team of former FDA analysts and reviewers provides the best-qualified, credentialed, and experienced product security benefit-risk assessment in the world.
Contact us today   >
Naomi Schwartz
Sr. Director of Cybersecurity Quality and Safety
Naomi is a regulatory, compliance, and standards expert. She employs gap analyses, proposes mitigation strategies, and optimizes cybersecurity frameworks to address risk and uncertainty for device commercialization and to meet regulatory requirements and guidelines. Naomi has 20+ years of systems engineering experience.

Prior to Medcrypt, she was a premarket reviewer and consumer safety officer in CDRH for 6+ years, focusing on software, interoperability, and cybersecurity for connected diabetes devices. Her industry leadership and strategic direction include crafting standards and recommended practices for wireless diabetes device security, managing postmarket triage for cybersecurity vulnerability disclosure. She holds an MS in Electrical and Computer Engineering from Carnegie Mellon University and is a Certified Quality Auditor.
Seth Carmody, PhD
VP, Regulatory Strategy
Seth has 10 years of medical device experience and provides strategic direction for cybersecurity products and services for the regulated device market.

Prior to Medcrypt, he spent 8 years at the FDA, architecting technology policy and laws that impact software-enabled medical devices, including the FDA’s medical device cybersecurity policies. His industry leadership and strategic direction extends to several high-profile industry frameworks including the Joint Security Plan (HSCC), MITRE’s Rubric for Applying CVSS to Medical Devices, and MDIC’s Playbook for Threat Modeling Medical Devices. He has authored several medical device cybersecurity papers and won several information security awards. He holds a PhD in Chemistry from Indiana University.
Cynthia Peralta
Sr. Director, Encryption, Key Management and PKI
Cynthia is a Public Key Infrastructure and cybersecurity expert. She provides critical and high-value insight and design of cybersecurity components, including cryptography and key management, that form the basis of security trust. She has 24+ years of experience in enterprise application, systems security, embedded device security, and device architecture & design. She handles FDA letters, including Refuse to Accept letters.

Prior to Medcrypt, she worked at several Forbes top 100 global organizations, including GE Digital, where she built out GE Healthcare’s encryption, key management, and PKI infrastructure.
Matt McKenna
Sr. Director, Product Security
Matt is a threat modeling and risk management expert. He supports clients in their journey to adopt a total quality framework, which is  necessary to go to market with reasonable and planned resources and cost. He also handles FDA letters, including Refuse to Accept letters.

Prior to Medcrypt, he led cybersecurity, technology direction, and national security efforts at a number of companies, including MITRE, National Grid, and Becton Dickenson. He holds a BA in Computer Science from Rhode Island College.
AJ Reiter
Director, Strategy and Organizational Transformation
AJ specializes in enterprise digital transformation, program development, continuous process improvement, and cybersecurity. He assesses organizational security and implements actionable transformation plans and services to achieve executive targets.

Prior to Medcrypt, he spent five years doing management consulting, providing comprehensive business transformation services to Fortune 500 clients in various industries, including Pharmaceuticals, Defense, Consumer Packaged Goods, and Medical Devices. He has a BS in Economics from Georgetown University, where he captained the 4x national champion Georgetown Sailing Team.