Harbor Labs

Harbor Labs Supports DOJ False Claims Act Litigation in Healthcare

Nick Yuran — Fri, 27 Feb 2026 17:09:55 +0000

Harbor Labs is proud to have supported the U.S. Department of Justice in its False Claims Act litigation against Kaiser Permanente. This work reflects our longstanding commitment to strengthening compliance, integrity, and cybersecurity across complex healthcare IT environments. Originally awarded in 2022, this engagement builds on Harbor Labs’ extensive history supporting DOJ and HHS healthcare IT and cybersecurity investigations. For this contract, Dr. Luis Vargas, Director of Medical Cybersecurity at Harbor Labs, served as the principal technical investigator, with Chief Scientist Dr. Mike Rushanan acting as the testifying expert. Congratulations to everyone involved in bringing this vital matter to a conclusion, and for contributing to stronger compliance, integrity, and trust across healthcare. We are honored to contribute technical expertise that reinforces trust in healthcare systems and supports the public interest.
Link to press release

The post Harbor Labs Supports DOJ False Claims Act Litigation in Healthcare appeared first on Harbor Labs.

The 2015 FDA Cybersecurity Alert That Shaped the Medical Device Industry

Nick Yuran — Fri, 27 Feb 2026 16:42:51 +0000

It could be reasonably argued that the medical device cybersecurity industry was born in August of 2015, when the FDA issued its first ever cybersecurity alert for a medical device. The device that triggered that alert was the Symbiq drug infusion pump by the erstwhile manufacturer Hospira. The pump was reported to be vulnerable to a buffer overflow attack, which if successfully executed could give an attacker root access to the device, allowing the clinical functions of the pump to be altered or stopped entirely. It was the FDA response to this vulnerability and the tremendous publicity it received that abruptly transformed the medical device industry, establishing cybersecurity as a new, critical component of medical device safety. And it was this alert that would launch both a new set of regulatory standards and the medical device cybersecurity industry as we know it today.

At the time of this event, Harbor Labs was led by Dr. Avi Rubin, who in addition to serving as Chief Scientist was also the Director of the Health and Medical Security (HMS) Lab at Johns Hopkins University. Dr. Rubin had recently testified before US Congress on medical cybersecurity, and as a direct result of his testimony at these hearings Hospira selected Harbor Labs to analyze the Symbiq vulnerability and develop a remediation plan.

The effort was led by Dr. Mike Rushanan, who had himself received his PhD through the JHU HMS lab under Dr. Rubin, and today serves as the Harbor Labs Chief Scientist. Dr. Rushanan and the Harbor Labs staff were able to recreate the attack that produced the buffer overflow, writing their own custom input injector and shellcode. Then, working with the manufacturer, Harbor Labs developed the security patch needed to eliminate the vulnerability. The device was soon thereafter approved to resume clinical sales.

The publicity and market impact the Symbiq episode would have on Harbor Labs would shape the future of the company. With the distinction of being the cybersecurity consultants that rescued a medical device from a critical vulnerability and returned it to the market, Harbor Labs was put at the forefront of the burgeoning medical cybersecurity consulting industry. Over the coming years, Harbor Labs would benefit from this pioneering reputation, partnering with many of the medical device industry’s most prominent manufacturers on their cyber policies and regulatory submissions, and working with regulators to help shape the constantly evolving regulatory landscape. It was that critical roll played by Harbor Labs as the medical device industry was first forming in 2015 that would put the company on the trajectory to the market-leading position we enjoy in the industry today.

The post The 2015 FDA Cybersecurity Alert That Shaped the Medical Device Industry appeared first on Harbor Labs.

Dr. Mike Rushanan Teaches Groundbreaking Course on Medical Device Cybersecurity at Johns Hopkins University

Dr. Mike Rushanan — Fri, 27 Feb 2026 16:41:01 +0000

The Internet of Things has long delivered on the promise of connecting everyday products such as smart thermostats, appliances, cars, and more.

But as the human body has come to occupy a central place in that connected landscape through fitness trackers, insulin pumps, pacemakers, and other wearable devices, the perils of cybersecurity have escalated.

Wirelessly infiltrating such medical devices to inflict harm has occupied many a fictional thriller—from the TV show Homeland to the novel Kill Decision—as well as real life policy debates such as the vulnerability of former Vice President Dick Cheney’s pacemaker. In 2019, the U.S. Food and Drug Administration took the historic step of recalling a specific type of insulin pump because of potential cybersecurity risks.

Still, medical device manufacturers have continued to push products toward the market before they have implemented fully integrated cybersecurity measures, focusing more on making sure the products are safe for patients rather than from outside hacking threats.

Now, a new course offered by the Johns Hopkins Whiting School of Engineering, Medical Device Cybersecurity, is preparing students for the revised approval process mandated by the FDA, which has ramped up requirements for cybersecurity measures throughout the medical device design process.

“Protecting these devices from cyber threats is not just a technical challenge—it’s a matter of patient safety,” states the syllabus for the class, taught by Dr. Michael Rushanan, a lecturer in the Department of Computer Science who earned his PhD from JHU in 2016. “A security breach in medical devices like pacemakers and insulin pumps can have life-threatening consequences.”

The class provides an in-depth review of FDA cybersecurity guidance and the processes needed to meet those relatively nascent government requirements—from the initial design and development steps through device deployment.

The course teaches real-world case studies and provides practical exercises and simulations—including a final project that requires students to build actual medical devices equipped with air-tight cybersecurity measures.

“We want the students to go into the field knowing how critical it is to apply cybersecurity risk management from the design stage,” said Rushanan, chief scientist at Harbor Labs, the firm founded by retired Johns Hopkins professor Avi Rubin. “If you don’t, device manufactures are going to continue to have a ton of problems at the end of the process that can cost them hundreds of thousands of dollars to fix.”

Rubin, who started the Johns Hopkins Health and Medical Security Lab, said manufacturers have become more aware of security issues than they used to be thanks to new comprehensive FDA regulations. But, he added, the class is a first for teaching that new landscape—from understanding the regulatory landscape to incorporating those requirements into the design process.

“This is a first-of-its-kind course on the cybersecurity of medical devices with a focus on the specific issues and challenges inherent in that environment,” Rubin said. “The high level of regulation and the cyber-physical nature of devices that interact directly with humans, along with the privacy sensitivity of health data represent a unique set of challenges. This course provides students with hands-on experience working specifically on medical device security. It will give students a launchpad into careers related to medical and healthcare security.”

The students presented the products they developed with cybersecurity measures fully enmeshed in the designs on May 12. They included:

ThermaTrack:

Provides real-time tracking of a patient’s body temperature and can alert caregivers when it detects abnormal variations. The data is stored securely on the AWS cloud where it can be accessed through a web and mobile application.

Cardio Crisis:

ECG monitors heart activity through a sensor placed on the body and which is connected to a high-speed processor that transmits the data via Bluetooth to a smartphone application. It can detect cardiac irregularities in real time, allowing for quick responses by medical personnel.

PulseLite:

Creates, analyzes, and displays echocardiographic data collected on a patient’s body and provides remote monitoring to alert emergency contacts when abnormalities such as heart attacks are detected.

HappyKittySleepyKitty:

Monitors sleep patterns and stress levels in individuals with PTSD and anxiety. The device tracks physiological indicators that correlate with stress spikes and sleep disturbances, providing real-time feedback and artificial intelligence-driven suggestions for interventions that can improve the users’ well-being.

NeuroMotion:

Tracks movement and other medical data for patients suffering from Parkinson’s disease to determine if treatment is beneficial. It helps patients track their progress and optimize treatment plans that can assist with better recovery and positive mental health outcomes.

Original Article by Doug Donovan, Johns Hopkins University
Image credit: Will Kirk, Johns Hopkins University

The post Dr. Mike Rushanan Teaches Groundbreaking Course on Medical Device Cybersecurity at Johns Hopkins University appeared first on Harbor Labs.

Compliance v. Completeness: Rethinking SBOMs Under FDA Premarket Cybersecurity Guidance

Nick Yuran — Fri, 27 Feb 2026 16:40:48 +0000

Harbor Labs Chief Scientist Dr. Mike Rushanan served as the Principal Investigator for the paper Compliance v. Completeness: A Case Study on SBOMs in Consideration of FDA Premarket Cybersecurity Guidance, to be presented at the upcoming HealthSec 2025 Conference this December in Honolulu, HI.

The paper examines the FDA’s premarket cybersecurity guidance on the use of a Software Bill of Materials (SBOM) in medical device submissions, and how it is possible for a SBOM to be compliant but still incomplete. This assertion is supported by a recent Harbor Labs case study highlighting an anonymized medical device SBOM that met regulatory submission standards, but omitted deeply embedded third-party components and dependencies hidden by software development tooling. The extended SBOM revealed additional vulnerabilities, exposing the blind spots of the original SBOM. The study also found that excluding hardware components, or the HBOM, introduced additional unseen vulnerabilities, leaving devices exposed to risks such as microarchitectural attacks.

The findings reinforce an important distinction: building a SBOM solely for regulatory compliance does not always guarantee effective cybersecurity risk management. Manufacturers are encouraged to build BOMs that incorporate both transitive software dependencies and hardware components in order to maximize the effectiveness of vulnerability monitoring and postmarket surveillance.

The post Compliance v. Completeness: Rethinking SBOMs Under FDA Premarket Cybersecurity Guidance appeared first on Harbor Labs.

Regulatory Science Meets Cyber Science; Why It’s So Much More than a Pen Test

Nick Yuran — Mon, 09 Feb 2026 16:59:14 +0000

Anyone who has had professional interaction with the FDA has encountered the term regulatory science.

It is used extensively within the agency to convey the scientific disciplines that FDA Centers employ in performing their regulatory functions. More than just examiners with a checklist of pass/fail criteria, the role of the FDA examiner requires a diverse technical, clinical, and analytical skillset that clearly qualifies as a field of science.

At Harbor Labs, we apply a very similar mindset to our professional titles, starting with the question, when does cybersecurity become cyberscience?

When the work you perform involves information security, hardware security, computer science, clinical functionality, and an understanding of how all of this affects medical safety, you are certainly deserving of the title scientist. And this is precisely why the unique professional title Cyberscientist is given to most Harbor Labs technical staff positions. It is intended to recognize the diverse technical nature of our staff’s skillsets, as well as convey a subtle marketing identity to our community of clients.

We are frequently engaged by medical device manufacturers who are actively working on a regulatory submission, and have come to us because they “need a pen test performed.” While this is a perfectly reasonable request, at Harbor Labs, the term pen test is rarely used, and only then in a very specific context. The concept of a pen test, in which a variety of tools (Nessus, Metasploit, e.g.) are applied against a target system to identify known vulnerabilities, is only a subset of what is required to truly expose all potential flaws, weaknesses, and vulnerabilities in a medical system. We prefer instead to refer to the testing phase of our analysis as clinical cybersecurity testing. This more comprehensive term captures a broad variety of tests intended to stress the target system in ways that expose all categories of vulnerability. This can include fuzzing, reverse engineering, SAST, MITM, dynamic analysis, robustness (DoS and DDoS), software component analysis, and yes, various forms of COTS and custom pen testing.

**But what makes this testing clinical?**

Cybersecurity analysis alone can be insufficient if the therapeutic, diagnostic, or other clinical functions of the target system are not exercised in parallel. Without this additional context, the severity and functional impact of a vulnerability could be unknowable, leaving an examiner unclear on its true significance. At Harbor Labs, clinical context is at the forefront of our analysis, and has included such testing methods as:

The actuation of an infusion system by simulating a drug cassette’s behaviors
Removing the arm of a surgical robot to force an error condition
Processing actual samples of genetic material in a sequencer
Attaching EKG leads to our cyberscientists to generate real-time test data among other similar clinical exercises.

By integrating the medical characteristics and functions of the target device into the cybersecurity testing, the fidelity of the test results are far more meaningful and can lead to a clearer understanding of how security characteristics affect medical performance and patient safety.

When the results of such comprehensive testing are then combined with an understanding of the clinical functions of a target system, and the interactions that occur between the patient and clinician, only then is the testing sufficient for a CDRH examiner. Anyone who has been part of the more than 50% of all regulatory submissions that are rejected already understands this all too well.

Recognizing that medical cybersecurity is indeed a science and treating it as such will significantly reduce time to market for medical device manufacturers and lead to more positive regulatory outcomes for examiners and manufacturers alike.

The post Regulatory Science Meets Cyber Science; Why It’s So Much More than a Pen Test appeared first on Harbor Labs.

SBOM Transparency v. Exposure: Evaluating Adversarial Risk in Healthcare

Nick Yuran — Mon, 09 Feb 2026 16:40:45 +0000

Harbor Labs Chief Scientist Dr. Mike Rushanan served as the Principal Investigator for the paper The SBOM Transparency v. Exposure Dilemma: A Case Study on Adversarial Access to Public SBOMs in Healthcare. This is the second of his two papers to be presented at the upcoming HealthSec 2025 Conference this December in Honolulu, HI.

The FDA recommends that manufacturers publicly disclose a continuously updated Software Bill of Materials (SBOM) to support shared responsibility in cybersecurity risk management, vulnerability assessment, and mitigation. While this is a sound and proven security principle, caution should also be exercised in the public release of SBOMs without first evaluating the potential risks introduced by adversarial access.

To support this point, this paper examines a case study using a de-identified, FDA-compliant SBOM derived from a real-world medical device. Using a large language model (LLM), known vulnerabilities (CVEs) were extracted from the SBOM and an attack blueprint was automatically generated. The attack was then validated in a controlled containerized environment, demonstrating that even a minimally detailed SBOM can reduce adversary effort and streamline exploitation planning. The paper concludes with a recommendation that distinctions be made between the SBOM content provided to regulators, clinical end users, and the general public in order to limit unnecessary exposures.

The post SBOM Transparency v. Exposure: Evaluating Adversarial Risk in Healthcare appeared first on Harbor Labs.

Why FDA Rejects the Cybersecurity Content of Regulatory Submissions

Dr. Avi Rubin — Thu, 07 Jul 2022 16:33:00 +0000

Since Harbor Labs performed its first medical device cybersecurity assessment in late 2015, there has been a consistent and obvious trend in the origins of our client engagements.

More than half of all clients (62%) who have contracted with Harbor Labs for an assessment in support of a regulatory submission did so after one of the following conditions had occurred:

Negative premarket feedback
Rejected submission
Discovery of a postmarket vulnerability

Because each of these rejections represents misspent time and resources by both manufacturers and regulators, and in some cases imposed avoidable delays in getting clinical products to market, it is worth examining the leading factors that result in a rejected regulatory submission.

Our cyberscience staff recently met to compare experiences and identify the most common issues we have observed that ultimately led to bad regulatory outcomes. The following observations are anecdotal, but are nonetheless real-world examples of the more common assumptions and procedural oversights made by device manufacturers in their submissions that we have seen lead to FDA rejection:

“We use a proprietary communications protocol, which is in itself a sufficient security measure.”

Examiners have consistently rejected this argument. Proprietary mechanisms are security by obscurity. An attacker with unbounded time can circumvent them, a fact that has been proven through research by FDA staff themselves. Only use well-vetted, known, secure cryptographic algorithms, methods, or systems.

“After performing our own internal risk assessment and threat model, we concluded that a penetration test was not necessary to support our 510(k) submission.”

A risk assessment that does not trace or include cybersecurity testing will likely be rejected. All medical devices that incorporate software should include comprehensive cybersecurity testing. Moreover, the testing should trace back to cybersecurity requirements, and the requirements back to the risk assessment.

“We provided regulators with exhaustive documentation and our submission was still rejected.”

This typically occurs when different elements within a large organization produce the components of a submission independently. The content can become fragmented, and very often lacks traceability. Avoid providing document dumps that overwhelm the examiner. Logical sequencing, format consistency, organization, and cross-document traceability are more compelling than volume.

“Regulators questioned the qualifications of my testing group.”

It is not enough to simply provide a table of test descriptions with each column marked “Passed”. Examiners want to know who specifically performed the tests, details on the analysis performed, and the credentials of the test engineers. Identify your testing group by name and wherever possible, include their attestation letter in your submission.

“We don’t need to perform robustness testing (DoS, DDoS) because our service platform or cloud provider offers this protection as part of their subscription service.”

It is important to understand whether the cloud resources where medical software and data reside automatically scale and provide firewall and anomaly detection functionality. When it is determined that these services are not provided by a particular cloud resource (an AWS EC2 instance, for example), robustness testing should be performed and included in the submission. In most cases, executing robustness testing will also require the permission of the cloud provider. In any case, when a component of a medical system resides in the cloud, vendor documentation specifically identifying the cloud service being used and citing the security features it provides is essential for the reviewer.

“Our secure communication protocol was rejected.”

Nonsecure protocols such as Telnet and FTP are obvious red flags to an examiner. But, even secure protocols can be rejected if they are subject to a deprecated or insecure configuration. A common example is TLS 1.2, which is considered insecure because it supports many insecure or deprecated ciphers in its cipher suite.

It is often the case that public clouds and third-party web services and platforms do not support the latest version of TLS. In this case, it must be documented and made clear that the manufacturer, as the client, will negotiate the highest protocol and strongest cipher suite.

“We had a cybersecurity consultant perform in-depth, independent pen testing but the examiner felt the test data lacked sufficient detail.”

Submissions are sometimes rejected because they lack a specific type of cybersecurity test. At a minimum, testing should include penetration testing, static analysis, dynamic analysis, fuzz testing, and robustness testing. A true pen test that comprises only the output of COTS pen test tools will rarely be sufficient for approval. Customized testing that exercises the unique clinical features of a device is more likely to demonstrate the thoroughness and thoughtfulness that examiners are looking for.

The post Why FDA Rejects the Cybersecurity Content of Regulatory Submissions appeared first on Harbor Labs.

Medical Device Manufacturer Must Do’s for Cybersecurity

Dr. Mike Rushanan — Mon, 21 Mar 2022 23:14:33 +0000

At Harbor Labs, one of our most common services is reviewing the cybersecurity content of the premarket submissions of Medical Device Manufacturers (MDMs).

When we provide this service, my team is brought in to perform a third-party review of the client’s cybersecurity processes, procedures, and overall product cybersecurity posture. This review will result in the production of a Cybersecurity Threat Assessment (CTA) — our process for creating a threat model, performing a cybersecurity risk assessment, mapping cybersecurity requirements, mitigating and compensating controls, and performing pen testing/cybersecurity testing.

In our many engagements performing this type of analysis, we have had a unique opportunity to see a broad variety of MDM submissions and the resulting FDA feedback. And in the process, we have noted a pattern of common pitfalls that cause MDMs to be delayed or disqualified from receiving regulatory approvals. In this blog post, I have compiled an outlined list of must do’s to avoid the common cybersecurity obstacles that hinder regulatory approval.

Threat Model
- You must have a threat model.
- The FDA outlines this requirement and advises how to perform it in the following resources:
  - Content of Premarket Submission for Management of Cybersecurity in Medical Devices
  - Playbook for Threat Modeling Medical Devices.
- Threat model methodologies include:
  - STRIDE
  - Attack Trees
  - Kill Chain
  - DREAD
- Your threat model must also include:
  - Assets
    - For example, assets include servers, end-user devices, smartphones, laptops, PCs, embedded systems, cloud services, virtual machines, etc.
  - Communication or data flows
    - For example, define the type of data, its sensitivity (e.g., PHI), and the assets that send and receive it.
  - Risk actors
    - For example, define insider threats such as rouge developers or cloud admins.
  - Threats
    - For example, an attacker with physical access to a medical device may connect to its JTAG interface.
  - Trust boundaries
    - For example, a medical device does not need to trust the network that it transmits data on.
  - You must create a threat model diagram.
    - Your threat model diagram must depict assets, communication flows, and trust boundaries.

Cybersecurity Risk Assessment
- You must perform a risk assessment that considers cybersecurity vulnerabilities, defects, and exploits impacting patient safety.
- You must also risk assess general cybersecurity risks that do not impact patient safety.
  - Confidentiality
  - Integrity
  - Availability
  - Privacy
- You must create cybersecurity requirements, mitigation controls, and compensation controls.
  - Cybersecurity requirements prescribe how a device is secured.
    - For example, “All device network communication shall be secure.”
  - Mitigating and compensation controls implement the requirement to remove or reduce risk.
    - For example, “HTTPS using TLS 1.3 shall be used to ensure data is encrypted in transit.”
  - The FDA outlines this requirement and advises how to perform it in the following resources:
    - Content of Premarket Submission for Management of Cybersecurity in Medical Devices
    - The FDA also describes how to perform threat modeling in the Playbook for Threat Modeling Medical Devices.
  - The FDA recommends following and implementing risk assessment methodologies described in
    - NIST SP 800-30
    - IEC 62304
    - ISO 14971
    - Mitre’s Medical CVSS Rubric
  - You must include several types of cybersecurity risk assessment documentation, including, but not limited to:
    - Security Requirements Traceability Matrix
    - Device hazard analysis
    - Penetration Testing (see Cybersecurity Testing below)

Cybersecurity Testing
- You must perform cybersecurity testing against your device and related systems.
  - Related systems refer to computers, servers, cloud platforms, and software services that communicate and, generally, integrate with your device. This concept is referred to as a system of systems.
  - Types of testing include:
    - Network enumeration
      - For example, identify computing devices reachable from a network. Perform port scans and OS fingerprinting.
      - Tools include:
        
        Nmap
        
        Testssl
    - Penetration Testing
      - For example, passively eavesdrop on network communication and actively insert, modify, drop, or jam network communication.
      - Tools include:
        
        Nmap
        
        Nessus
        
        Metasploit
        
        Burp Suite
        
        Charles Proxy
        
        Wireshark
        
        Scapy
    - Static analysis
      - Software Component Analysis (SCA)
        
        Tools include:
        
        npm-audit
        
        bundler
        
        OWASP dependency-check
      - Static Application Security Testing (SAST) or Source Code Analysis Tools
        
        Tools include:
        
        SonarQube
        
        Bandit
        
        Brakeman
    - Dynamic Analysis
      - For example, perform input injection on running software.
        
        Tools include:
        
        Charles Proxy
        
        MITM proxy
        
        Burp Suite
        
        ZAP
        
        Scapy
    - DDoS and performance testing
      - Empirical analysis of network performance under artificial or malicious load
        
        Throughput
        
        Latency
        
        Packet loss
        
        Jitter
        
        Tools include:
        
        Hping
    - Fuzzing
      - Dynamic analysis technique to provide random, invalid, and unexpected inputs to a running software program or service
        
        Example tools:
        
        BooFuzz
        
        AFL
        
        Scapy
- You must identify OTS software and SOUP incorporated in your device and related systems, and you must perform a vulnerability assessment of it.
- You must create a Software Bill of Materials (SBOM).
  - You should determine software vulnerabilities using the NIST National Vulnerability Database.

Cybersecurity Monitoring
- You must implement audit and logging capabilities in your devices and related systems.
  - Auditing and logging functionality include detecting, monitoring, logging, and alerting.
  - Depending on your architecture, for example, a cloud-based backend, you may use standard IDS, IPS, and SEIM solutions to meet the requirement.

Cybersecurity Plan
- You must create a plan that describes your overall cybersecurity approach.
  - This approach must incorporate the threat model, cybersecurity risk assessment, and testing procedures above.
  - This approach must also include a process and procedures for:
    - Continuous software vulnerability analysis
    - Incident response to a vulnerability or compromise
    - Software patching and updating

Device Configuration and Deployment
- You must set your device’s default configuration to the most robust security setting.
  - For example, a firewall may be enabled that blocks all ports except for those running services. Only TLS 1.3 is enabled. MFA is required to authenticate users accessing services external but integrated with the device, etc.
- You must also clearly label and inform your device’s users on operating and configuring their device based on cybersecurity best practices.
  - For example, make it clear that disabling the firewall creates severe risks for your device. Allowing TLS 1.0 compromises the integrity and confidentiality of your network-based communication. Password-only authentication is susceptible to phishing and brute-force attacks, etc.
    - In many cases, you may forgo allowing your end-user to reduce security. In our experience, there is a lot of concern around this approach from MDMs.
  - The FDA outlines this requirement and advises how to perform it in the following resources:
    - Content of Premarket Submission for Management of Cybersecurity in Medical Devices

Cryptography, Risk Assessment, and Software Generally
- Risk assess known vulnerabilities for OTS software and SOUPs and provide a rationale if you decide not to update immediately.
- Use TLS 1.3 or TLS 1.2 with cipher suites that use authenticated encryption with associated data (AEAD) for bulk encryption.
  - See RFC 8446.
- Digitally sign and verify software updates using FIPS 140-3 approved algorithms such as ECDSA.
  - See FIPS 140-3
  - See NIST SP 800-140C
- Enforce access controls (authentication and authorization) server-side.
- Risk assess cloud services regarding access control, security configuration (e.g., encryption at rest and transit), etc. Don’t assume that using a third-party cloud provider is good enough.
- Enable encryption at rest wherever possible.
- Apply and enforce the principle of least privilege.
- Use hardware security modules and critical management services on the backend where
- Do not hardcode any password, credential, secret, API key, etc.

To summarize, the MDM must create processes and procedures memorialized in the cybersecurity plan. As a part of that plan, you must describe your threat modeling, cybersecurity risk assessment, and cybersecurity testing process. Then, you must execute these processes when developing and assessing your device. Lastly, you must provide this information and the testing results in your formal submissions to the FDA, regardless of whether it’s a Pre-Sub, 510(k), or PMA.

Our advice–be clear, consistent, and concise when describing your cybersecurity. Perform testing and provide the results as evidence that support your position that your device and its related systems are secure.

The post Medical Device Manufacturer Must Do’s for Cybersecurity appeared first on Harbor Labs.

Best Practices for Ensuring Cybersecure and Cybersafe Medical Device Design

HarborLabs — Wed, 26 Jan 2022 20:25:13 +0000

The internet of medical devices (IoMD) within a health care facility comprises a broad array of technologies, ranging from simple physiological instruments such as thermometers and pulse monitors, to sophisticated imagery and therapeutic systems with extensive computing resources and high-bandwidth networking. The bedside systems found in patient rooms, including pumps, sensors, and the nurses’ cart-on-wheels are not only networked, but are often directly connected to patient databases and billing centers. Unlike other computing platforms on the network, networked medical devices are designed primarily for their medical function, with less consideration given to the authentication technologies and cyberdefenses typical of other IT. This white paper addresses best practices for ensuring cybersecure and cybersafe medical device design to mitigate the risk of compromise or misuse.

The post Best Practices for Ensuring Cybersecure and Cybersafe Medical Device Design appeared first on Harbor Labs.

Medical Systems and Third-Party Smart Devices

Dr. Mike Rushanan — Fri, 10 Sep 2021 16:19:33 +0000

It is an increasingly common practice in the medical device industry to integrate third-party smart devices such as phones and tablets into medical device architectures and operational models.

After examining several such systems, Harbor Labs has identified a broad set of unique cybersecurity risks in smart devices that may impact patient safety and privacy. To understand these risks, let us examine the design and function of a fictitious insulin delivery system called FakePump.

FakePump is a medical device that can read a patient’s blood glucose levels and in response, administer the appropriate insulin therapy. The patient wears the device at all times. FakePump has a Bluetooth Low Energy (BLE) wireless interface that can pair to the patient’s iPhone and send and receive data. The patient must install the FakePump iOS App on their iPhone to enable device communication.

Data sent from FakePump includes periodic blood glucose levels and events such as an insulin injection. Data received from the FakePump app contains commands such as inject N-units of insulin. The app forwards all received data to a content delivery network (CDN) managed by the device manufacturer called FakePump.io. The CDN stores patient data and exposes APIs for mobile and website applications to access and manipulate collected data.

A physician, caretaker, or patient may access this data via the application or CDN.

In the FakePump architecture, the iPhone is untrusted. The manufacturer has limited or no control over the smart device, while the patient has complete control. The manufacturer can minimally influence a patient’s iPhone’s hardware and software capabilities by setting a minimum iOS version supported by its iOS app. For example, the FakePump manufacturer may set the minimum iOS version to 11. This setting guarantees that Secure Enclave is available, and SFSafariViewController enforces cookie space separation between Safari and iOS apps. These features provide secure storage for the iOS app’s private crypto keys and restrict access to web-based access tokens.

However, this constitutes minimal control. A patient may jailbreak his or her device, thereby ignoring iOS app requirements. A jailbroken device may enable an attacker to access all app data previously subject to application sandboxing. More troubling, an attacker may access the FakePump iOS application binary and reverse engineer it.

These risks are inherent to any architecture that requires a smart device, including both iOS and Android devices. A reverse-engineered FakePump iOS app is a serious risk, as the effort would reveal all implementation and protocol-level app defects. These defects include hardcoded credentials, secrets, keys, improper or lack of input sanitization, rolling credential practices, insecure fallback mechanisms for data transmission, improper use of system libraries and functionality and outdated software dependencies with known vulnerabilities.

A reverse-engineering effort puts FakePump user safety at risk. It reveals details about the iOS app and the pump and CDN, such as tokens, passwords, keys and authentication methods. An attacker may use this to their advantage to spoof or tamper with data and commands.

Even when we assume the iPhone to be unmodified, cybersecurity risks related to software implementation are manifold. For instance, if the FakePump iOS app implements any of the following, it directly impacts patient safety and privacy:

The iOS app stores configuration data such as user credentials using UserDefaults.

Sensitive data must never be stored using UserDefaults. Encryption is not enabled, and other applications may access the data even if application sandboxing is enabled (e.g., using app extensions).
Instead, the Keychain Services API should be used to encrypt and store sensitive data.

The iOS app copies sensitive data, including PHI and PII, to the UIPasteboard (also called clipboard).

Sensitive data must never be copied to the UIPasteboard because it is accessible to all iOS apps.

The iOS app does not protect against screenshots when PHI is displayed.

Protecting against screenshots is a unique requirement that is only really been explored by apps like Snapchat. Currently, the iOS application can receive a notification when a user takes a screenshot. At a minimum, the iOS app should log the action.

The iOS app does not use Certificate Transparency (CT) when establishing TLS connections.

Apple prescribes that all certificates issued after October 15, 2018, must meet its CT policy.

It should be noted that the cybersecurity risks presented in this paper were encountered in the course of Harbor Labs’ medical security analysis consulting, and were present in actual medical device architectures that included smart devices. Presenting these risks through a fictitious medical device is intended to illustrate the breadth of the patient safety and privacy issues that can be present in such architectures so that they may be avoided in future deployments.

The post Medical Systems and Third-Party Smart Devices appeared first on Harbor Labs.