A roadmap to compliance: DNV Cyber’s product security services aided regulatory compliance for a medical device

  • DNV Cyber reviewed the device’s architecture design and conducted threat modelling.
  • This allowed the company to identify cyber-security gaps at all stages, plot a path to regulatory compliance, and make the device less vulnerable to disruption and/or interference.
  • The review outcome enabled optimization of the device’s overall architecture, saving cost and maintaining appropriate security over the product lifecycle.

This project was delivered by Applied Risk, a DNV company. DNV, Applied Risk, and Nixu joined forces to form DNV Cyber in 2024, creating one of Europe’s fastest growing cyber-security services businesses.

A growing company that had established itself as a leader in the field of medical devices was seeking to ensure that its signature product, a new type of automated insulin pump for people with diabetes, complied with US and EU cyber-security regulations. The manufacturer approached DNV Cyber to help develop a compliance roadmap. DNV Cyber was selected because of its relevant expertise and its track record of working extensively and successfully with major healthcare providers and life-science companies.

In initial discussions, DNV Cyber determined that the customer faced three key pain points on the road to compliance:

  • It did not follow a rigorous device architecture approach that included security as one of the principles. Some security requirements were added along the way instead of being an intrinsic part of the design premise.
  • It did not have a full picture of how vulnerable the device might be to disruption and/or interference.
  • It lacked independent verification that it had followed the Secure Development Life Cycle (SDLC) process during the development of the pump.

Making the SDLC process part of development sets precedent for taking a similar approach to other devices.

Data from threat modelling enabled strategies to mitigate threats.

The customer was enabled to move toward and then remain in regulatory compliance.

Reviewing design architecture and modelling threats

DNV Cyber responded by performing an architecture design review of the device and carrying out a threat modelling programme as part of the SDLC process. The threat modelling looked closely at the core components of the pump to gain an understanding of its function. It defined and classified the assets associated with the pump, created a threat model to identify their vulnerabilities, and established the prevalence of threats they faced. The vulnerabilities were identified by examining documentation on the pump and interviewing the developers of the pump and its components.

Team members used the data collected during these steps to develop strategies that could be used to mitigate threats and also be integrated into the product.

This information verified how the developers applied the principles of Secure-By-Design by:

  • Including comprehensive security requirements in every step of the device lifecycle.
  • Building security principles and requirements into the overarching device architecture, solution design, and technology.
  • Including security checks in coding, testing, staging, and production.
  • Ensuring the ability to dispose of data securely, in line with privacy considerations and legal requirements.
  • Developing a method to update and upgrade the device during its operational life to facilitate maintenance for end-users.

Building security checks and reviews into our R&D process has helped us find problems and fix them before they cause any trouble.

  • Chief Engineer at manufacturer

Developing a roadmap to success

DNV Cyber Risk developed a roadmap that helped the client move toward continuous security focus and regulatory compliance, and then remain in compliance, even after it achieved its initial goals. This was in line with the SLDC process, which aims to ensure that software is developed in ways that facilitate maintenance, updates, and revisions.

These actions allowed the device manufacturer to identify cyber-security gaps in all SDLC stages, mark out a path toward regulatory compliance, and make the device less vulnerable to disruption and/or interference. The review outcome enabled the company to optimize the device’s overall architecture, thus saving cost and maintaining the appropriate security level throughout the full product lifecycle.

DNV Cyber’s programme had four qualities that made it successful:

Pragmatic: The programme gave the customer a realistic view of the pump’s security issues, including vulnerabilities and obstacles to compliance, and assisted in the development of actionable plans for remediation and improvement of the device’s architecture.

Holistic: These plans allowed the manufacturer to embed the SDLC process into every aspect of its development cycle and provide for full testing of the system every time a major milestone approached.

Forward-thinking: More importantly, the plans helped identify high-risk bugs and weaknesses – including third-party vulnerabilities – before the pump went to market. As a result, the customer was able to bring the quality and security of its product up to even higher levels.

Repeatable: Making the SDLC process part of the development cycle sets a precedent for taking a similar approach to other devices that may also have a positive impact on users’ quality of life. This has positive implications for the manufacturer’s reputation.