MEDCRYPT IS SOFTWARE THAT HELPS MEDICAL DEVICE VENDORS COMPLY WITH THE FDA'S NEW PREMARKET CYBERSECURITY GUIDANCE

The FDA recently released an updated “Content of Premarket Submission for Management of Cybersecurity in Medical Devices”, partly in an effort to encourage medical device vendors to build devices that are secure by design. When we founded MedCrypt in 2016, we believed strongly that the only way to substantially improve the security of medical devices was to build security features directly into these devices. Without exaggeration, this recent guidance update aligns almost 1:1 with the feature set we developed when we started the company two years ago.

We have highlighted a few specific requirements in this guidance document, and described how MedCrypt can be used to address these requirements quickly. Our product is designed to make it fast and easy for software engineers building medical devices to implement cryptography and monitor device behavior, without needing to build an entire framework from scratch. We also monitor what MedCrypt-enabled devices are doing remotely, allowing us to detect intrusion, and generate forensic data in the event of a breach. Our ability to detect abnormal behavior stems from our healthcare-specific device behavior data, which spans multiple classes and brands of devices.

Note: while this is a non-binding guidance document, and not a formal regulation, it appears as though devices that fail to satisfy the guidance may not receive clearance by the FDA. "FDA recommends that this approach include a set of cybersecurity design controls to ensure medical device cybersecurity and maintain medical device safety and effectiveness. Such design controls may make it more likely that FDA will find your device meets its applicable statutory standard for premarket review.”

Document Section Requirement MedCrypt Feature
IV (line 272) Cybersecurity Bill of Materials (CBOM) MedCrypt matches versions of its software and component open source libraries to specific devices. Users can also import lists of other component software libraries to be tracked within MedCrypt. This allows us to dynamically generate a CBOM for any MedCrypt-enabled device.
V (line 330) Documentation demonstrating Trustworthiness We provide standardized design documentation for our cryptography framework, with descriptions of various security features that can be included in a vendor's FDA submission as appropriate.
V.A (line 357) Ensure code and data integrity MedCrypt's embedded library makes certain cryptography functions, like Sign / Verify, available via an easy to use API / ABI. This allows a user to sign code, data, instructions, configurations, etc. and verify these data structures before they are loaded into an active device.
V.A.1 (line 368) Ensure a communication / command is unmodified and originates from an authorized source MedCrypt's embedded library makes certain cryptography functions, like Sign / Verify, available via an easy to use API / ABI. This allows a user to sign and instruction, and verify it originated from a trusted source, and has not been modified.
V.A.1.b.iii (line 414) Use Cryptographically Strong authentication... MedCrypt makes it easy to choose and implement a cryptographic algorithm that is appropriate for your device, and allows you to change and patch these algorithms as vulnerabilities are found (keeping your device "Cryptographically Strong" over the life of the device). This cryptography can be implemented in various areas of your device, from communication authentication, to configuration authentication.
V.A.1.b.iv (line 417) Authenticate all external connections MedCrypt allows users to establish TLS connections quickly and easily, as well as implement application-layer data authentication. This adds a layer of redudency over your TLS connection, keeping data secure in the event the TLS connection is vulnerable / compromised. (Note the FDA's statement that this authentication should happen "even if the connection is initiated over one or more existing trusted channels". We interpret this to mean securing communications even inside a VPN connection.)
V.A.1.b.v (line 421) Authenticate firmware and software MedCrypt can be used to sign firmare and software updates with an organization-specific private key that only your organization has access to. These signatures can be verified on the device before a firmware update, or as an application or configuration is loaded.
V.A.1.b.vi (line 428) Perform authorization checks based on authorization credentials MedCrypt makes it easy to have each endpoint in your medical device generate unique key pairs, and use the public keys of these endpoints to authenticate before commands are accepted.
V.A.2.a.i (line 446) Verify signatures of software / firmware updates MedCrypt can be used to sign firmare and software updates with an organization-specific private key that only your organization has access to. These signatures can be verified on the device before a firmware update, or as an application or configuration is loaded.
V.A.2.a.ii (line 451) Whitelist based on digital signatures MedCrypt can dynamically generate whitelists of endpoints a particular device should be able to communicate with, and sign that whitelist with a private key. This whitelist signature can be verified, and the list used to ensure communication is only happening with trusted sources.
V.A.2.b.i (line 455) Verify integrity of all incoming data MedCrypt allows easy signature verification, even of data that has come from a distant MedCrypt-enabled device. This is in addition to ensuring that communication happens over a secure protocol (like TLS), that may have it's own socket-level transient-signature verification.
V.A.2.b.iv (line 464) Use current NIST standards In addition to allowing the use of FIPS 140-2 compliant cryptography algorithms, medcrypt makes it easy to patch and update algorithms in the future, without changing the business logic of your device.
V.B.1.a (line 499) Detect security compromises This is the single biggest advantage to using MedCrypt. MedCrypt-enabled devices send behavior metadata to an event monitoring system (that can be located in the cloud or on-prem), and these events are monitored for suspicious behavior. The behavior baselines are built around healthcare-specific data, that would be difficult or impossible for your organization to capture internally.
V.B.1.c (line 505) Forensic evidence capture The event data we capture is stored off the device, and can be analzed later in an incident response. This data is available only to your organization, and will not be shared without your permission.
V.B.1.d (line 514) Specify a secure configuration Device configurations can be signed, and verified on application start. Should a user change this configuration, a desired failure mode (error message, warning, alert, etc.) can be specified.
V.B.1.g (line 526) Provide a CBOM MedCrypt matches versions of its software and component open source libraries to specific devices. Users can also import lists of other component software libraries to be tracked within MedCrypt. This allows us to dynamically generate a CBOM for any MedCrypt-enabled device.
V.B.2.a (line 530) Notify users in the event of a breach In one specific example, should an application on your device experience a signature verification failure of a command, our event monitoring system is alerted, and your application can display an error message of your choosing to your user.
V.B.2.b (line 532) Anticipate software patches MedCrypt makes it easier to patch cryptography-related vulnerabilities, by abstracting the cryptography software into a single library. We compare MedCrypt-enabled devices in the field to the CVE database, and alert you when one of your devices is affected by a CVE.
VI.8 (line 613) Description of how the design enables the device to announce when anomalous conditions are detected MedCrypt's event monitoring system can be configured to alert us, your organization, or your customer's / user's organization in the event of an anomaly detection.
VII.A.3.e (line 679) Description of the... type and level of cryptographic key usage... We provide standardized design documentation for our cryptography framework, with descriptions of various security features that can be included in a vendor's FDA submission as appropriate.

Contact us at info@medcrypt.co to learn how MedCrypt can help your current and future medical devices satisfy these new FDA guidelines.