The Challenge
iCare approached Periculo to conduct a penetration test on their confocal microperimetry device, a sophisticated medical device combining hardware and software components. The device features a retinal scanning digital camera integrated with a digital display, designed to aid in fundus imaging and perimetry.
The official scope outlined by the client detailed their need for a third-party cybersecurity assessment. Specifically, they sought a penetration test to evaluate the security of the embedded software within the device, which operates both as a standalone unit and when connected to hospital IT networks. The device also includes a cloud connection for licence-based non-medical software, further broadening the scope of security considerations.
In addition to technical requirements, the client stipulated that the testing aligned with FDA-recognised consensus standards, including IEC 80001-1, IEC 81001-5-1, and IEC/TR 60601-4-5.
The ultimate goal of the assessment was to provide robust evidence to support their application for US FDA approval, ensuring the device met the highest standards of medical device security and compliance.
The Solution
With a strong foundation in cybersecurity for the digital health industry, Periculo leveraged its expertise to meet iCare’s specific needs. Our team has extensive experience conducting penetration tests for both Software as a Medical Device (SaMD) solutions and physical medical devices, ensuring compliance with industry standards.
For this engagement, we carefully reviewed the latest version of IEC/TR 60601-4-5, the FDA-recognised guidance for penetration testing of medical devices. By aligning our assessment with the most up-to-date standards, we ensured the testing process met all requirements for FDA submission.
This meticulous approach underscores Periculo’s commitment to delivering thorough, standards-based assessments that not only enhance medical device security but also support regulatory approval processes.
Working with the team for our device’s penetration testing was seamless from start to finish. We were initially concerned about the logistics of shipping our device from Italy, but they took care of everything, ensuring it arrived safely in the UK and returned just as smoothly. The level of detail in the testing was outstanding; they went deep into both the hardware and software, uncovering insights we hadn’t even considered.
Implementation
To carry out the penetration test, iCare arranged for the physical device to be securely shipped to Periculo’s on-site testing facility.
As the client was based in Italy, this required careful logistical coordination to ensure the device arrived safely and within the necessary timeframe. Upon receipt, our team conducted a detailed inspection to confirm the device’s condition, providing confidence in the integrity of the testing process.
Our assessment followed a rigorous methodology combining automated tools and manual testing techniques, aligned with the Penetration Testing Execution Standards (PTES), whilst also following our CREST accredited penetration testing framework. This hybrid approach allowed us to thoroughly evaluate the device’s resilience, identify potential security vulnerabilities, and offer actionable recommendations for improvement.
By adhering to these best practices, we ensured a comprehensive and accurate security assessment of the medical device.
The Results
The results of the penetration test included a comprehensive report detailing all findings, accompanied by recommended remediation measures where necessary.
Any vulnerabilities identified were scored according to the Common Vulnerability Scoring System (CVSS), providing clear prioritisation for any required actions.
Following the testing, the device was securely returned to the client in Italy.
This engagement provided the client with several key benefits.
- The detailed testing report served as critical evidence for their FDA submission, helping them navigate regulatory requirements with confidence.
- Additionally, by identifying and addressing potential vulnerabilities, they were able to enhance the overall security posture of their device, strengthening its resilience against potential threats. This proactive approach not only ensured compliance but also increased the product’s credibility and trustworthiness in the eyes of healthcare providers and patients.
This project with iCare showed us how much value comes from working closely with our clients, especially when there’s a lot to coordinate across countries.
From handling logistics to in depth testing and meeting regulatory needs, we continue to learn a lot about what medical device companies really need to get through compliance smoothly and securely.
If you’re looking for a partner who can simplify the process and take the stress out of compliance, let’s chat!
We’d love to show you how our approach can make a difference for your team and your customers.
.png?width=200&height=46&name=Perilogo%20(6).png){kind=small}
