Read Harbor Lab's Latest Medical Postmarket Surveillance Alert
  

  • Medical

    Device Security

    Consulting

    Clinical Pen Testing, Secure Medical Topologies, Cloud Security,
    Cryptography, Hardware Security, Secure Patch Models

  • FDA

    Regulatory and Certification

    Support

    Medical Security Consulting in Support of 510(k), PMA,
    Q-Submissions, FIPS and UL 2900

  • Medical Threat

    Landscape Monitoring

    and Alerts

    Automated Continuous Monitoring of the Device Attack Service

  • Healthcare

    IT Security

    and Compliance

    EHR, EMR and Healthcare IT Security Consulting
    Investigative and Litigation Support

Harbor Labs Cyberscientists
Medical Security Experts

Harbor Labs cyberscientists are recognized in the healthcare and regulatory industries as leading experts in medical security, providing the cyber disciplines underlying many of the medical industry’s leading surgical, diagnostic and therapeutic systems. Highly experienced with the clinical functions and common operational models of a broad array of medical technologies, Harbor Labs is the ideal go-to-market security partner for medical device vendors and OEMs.

Dr. Avi Rubin

Dr. Avi Rubin

Chief Scientist

Dr. Mike Rushanan

Dr. Mike Rushanan

Director of Medical Security

Dr. Paul Martin

Dr. Paul Martin

Director of Firmware Security

Dr. Ayo Akinyele

Dr. Ayo Akinyele

Director at Large of Cryptographic Engineering

Dr. Avi Rubin's technical leadership is reflected in every Harbor Labs initiative, whether serving as the project lead or providing technical oversight to his elite scientific staff. Dr. Rubin is the founder and director of the Johns Hopkins University Health and Medical Security Lab where his work is advancing medical device security and future healthcare networks. He is a Professor of Computer Science at Johns Hopkins University where his coursework is developing the next generation of medical security professionals. Dr. Rubin has testified on national healthcare cybersecurity policy before the U.S. House and Senate on multiple occasions, and has authored several books on computer security. He is a frequent keynote speaker at industry and academic conferences, and delivered widely viewed TED talks in 2011 and 2015. His Ph.D. from the University of Michigan is in the area of Applied Cryptography and Computer Security.

Dr. Rushanan serves as the project lead for Harbor Labs' healthcare clients, with a focus on medical device developer software, medical firmware and device communications protocols. While experienced with a broad range of medical devices, he is widely recognized for his expertise in cardiac devices and diabetes management systems. Dr. Rushanan also specializes in hardware exploits and applied cryptography, and is the lead instructor for much of Harbor Labs medical security coursework. Dr. Rushanan holds a Ph.D. in Computer Science from Johns Hopkins University.

Dr. Paul Martin is the lead designer and developer of many of Harbor Labs' security analysis tools, and the primary project lead for the company’s healthcare IT engagements. The holder of multiple patents in the fields of binary analysis, data security analytics and IoT monitoring, Dr. Martin is also expert in embedded systems security, OS security, network protocol analysis and reverse engineering. Dr. Martin holds a Ph.D. in Computer Science from Johns Hopkins University.

Dr. Ayo Akinyele is the Director at Large of Cryptographic Engineering for Harbor Labs. His expertise in applied cryptography supports client engagements where complex cryptographic frameworks, including key management, secure protocols and encryption functions are required. Dr. Akinyele holds a Ph.D. in Computer Systems and Network Security from Johns Hopkins University.

Medical Device Security Consulting
Secure Medical Device Design and Implementation

Harbor Labs provides both premarket and postmarket medical security consulting services to assist our partners and clients in meeting their cybersecurity and regulatory objectives. Often integrated with product development teams and working closely with client product management, Harbor Labs' staff designs and implements industry best-practice, regulatory-compliant security solutions into our clients’ medical systems.

Harbor Labs’ comprehensive security skill set and engineering experience have been applied to a broad range of medical platforms, ranging from patient-wearable technology, to bedside patient devices, to complex clinical enterprise systems. Whether responding to a postmarket vulnerability, preparing a device for regulatory submission, or simply implementing best-practice security measures, Harbor Labs is the ideal security partner for medical device vendors and OEMs.

  • Cryptography
  • Firmware Security
  • Full-stack Secure Programming
  • Key Management
  • DIY/Jailbreak Prevention
  • Web App Security
  • Software as a Medical Device (SaMD) Security
  • Wireless Security/Pairing
  • Secure Hardware Interfaces
  • Clinical Interconnectivity
  • Clinical Pen Testing
  • Cloud Security
  • Secure Patch Models/Software Updates
  • Threat Modelling
  • Threat Landscape Monitoring
Security Review and Documentation

Producing and maintaining quality security documentation is critical to the continuity of internal security best practices, and for ensuring the successful outcome of any regulatory interaction. Harbor Labs has produced extensive sets of security documentation for clients, including cybersecurity analyses, security policy documents, threat models, attacker models, and penetration test plans, among many others. These documents serve as the foundation for our clients’ internal security policies and procedures, and meet the requirements necessary for industry certifications and regulatory approvals.

Document
Review

The first stage in any Harbor Labs consulting engagement typically begins with a thorough security review of all existing design documentation associated with the client system’s firmware, communication protocols, topology, patch models, interfaces, access controls and cryptographic systems. Where documentation is missing or requires modification, Harbor Labs staff will produce the security materials and documentation necessary to meet the client’s objectives. All documentation is produced according to the client’s internal formatting standards, or templated to meet the requirements of the regulatory body or certification authority to which the documentation will be submitted.

Threat Models

Harbor Labs’ threat models are generated per client specifications, conforming either to an established model (STRIDE, DREAD, PASTA) or to the client’s proprietary standard. The threat model will comprise multiple elements, including:

  • Diagram of the architecture, data flow and trust boundaries
  • Attack Tree
  • Attacker model that describes attacker goals and capabilities
  • System description that identifies patient safety harm/non-harm risks
  • Identification of weaknesses in the cybersecurity approach
  • Recommendations for corrective measure
A CVSS 3.1 and CVSS medical rubric score is applied to all vulnerabilities and identified CVEs, along with a reference to any published regulatory guidance relevant to the issue.
Clinical Pen Testing and Custom Exploitation Analysis

Harbor Labs’ experience with medical device firmware and common clinical deployment models allows for the development of customized pen testing and exploitation analyses. This testing is designed to exercise the security policy assertions of the target system, and to inspect for the common medical vulnerabilities that are likely to receive scrutiny during regulatory review. Harbor Labs strives to provide a comprehensive analysis, going beyond just the documented security polices and basic attack surface of the target system to discover the obscure, complex, and chained premarket vulnerabilities that might otherwise be overlooked.

Harbor Labs conducts an exhaustive series of exploits against the attack surface of the target system using a combination of Harbor Labs’ proprietary analytic tool set and select open-source tools, to determine any flaws, misconfigurations, weaknesses or vulnerabilities that might disqualify it from regulatory certification. The resulting report highlights those issues with the highest probability of impacting patient safety, along with a CVSS 3.0 score and recommendations for remediation.

  • Device Firmware(s)
  • Hardware Interfaces
  • Access Controls
  • Web Application Security
  • Cloud Security
  • Wireless Protocols
  • Cryptographic Systems
  • Patch Models
Medical Device Security Managed Services Packages

Harbor Labs offers customized retained services packages designed to meet the ongoing security and regulatory management requirements of our clients. These packages often serve to augment our client’s existing product management and security teams, providing expert resources and services on an as-needed, on-call basis. For other clients, these managed services packages serve as an outsourcing vehicle for critical services that our clients lack the time or resources necessary to perform by utilizing their own staffing.

Ranging from simple on-call technical inquires to complex cyberengineering projects, Harbor Labs managed services provide clients with expert, independent security consulting, ensuring that our partners are never without the staffing and resources necessary to respond to their most urgent and critical security needs.

Harbor Labs Managed Services packages can be tailored to the specific requirements of the client, and may include:

  • On-call Cyberengineering Support
  • Dedicated Rack Space for Device and Firmware Test String(s)
  • Customized Continuous Vulnerability Monitoring and Alerts
  • Pre-release QA Services
  • Security Analyses, Pen Testing
  • Postmarket Surveillance Support
  • Regulatory Guidance Support
  • Sales and Marketing Support
  • Training
FDA Regulatory and Certification Support
Regulatory Support

Harbor Labs provides cyber consulting in support of regulatory submissions and postmarket actions, including the FDA 510(k) and PMA certification process and all relevant forms of Q-Submissions. Often interacting directly with regulators on behalf of the medical device client, Harbor Labs staff will work with CDRH and OPEQ examiners and policy staff to meet the security requirements necessary to certify a system. Our level of support varies based on the requirements of the client, ranging from a purely analytic role to more comprehensive architecture, engineering, full-stack software development and remediation projects. Whether part of the presub process or responding to a postmarket incident, Harbor Labs’ understanding of regulatory science and our commitment to positive security outcomes for our clients’ products is reflected in every engagement.

  • 501(k) Submissions
  • Premarket Authorizations
  • Postmarket Surveillance Reports
  • Q-Subs
  • De Novo Classification Requests
  • Submission Issue Requests
  • CLIA Waivers
  • Adverse Event Reports
  • Study Risk Determinations
Regulatory Submissions

Working directly with FDA examiners and cyber policy analysts, Harbor labs has developed a series of submission templates designed to meet the 510(k) and PMA requirements for formatting, content, and sequencing of the security portion of the submission. Harbor Labs experience with the submission process and past interactions with regulatory scientists has given our staff an understanding of the sources of delays and disqualifications that may block regulatory review and approval. By providing the content and formatting that is expected by regulatory examiners, and eliminating extraneous, incomplete and disqualifying content, Harbor Labs can ensure a rapid review process and faster time to market for our clients.

Process for Regulatory Submissions
  • process-review
    REVIEW

    Review the target system documentation and design, conduct system reconnaissance and client interviews.

  • process-document
    DOCUMENT

    Document the system’s asserted security policies and build the threat model.

  • process-test
    TEST

    Develop a clinical pen test to validate security policies and exercise potential vulnerabilities.

  • process-remediate
    REMEDIATE

    Create a remediation plan for any identified vulnerabilities, retest to confirm corrective action.

  • process-report
    REPORT

    Produce a final security report on the target system with the content and formatting required for regulatory submission.



Postmarket Surveillance

Harbor Labs offers postmarket surveillance services for clients looking to implement best practices for cyberhygiene and threat landscape monitoring for their postmarket products, as well as services for clients operating under a Section 522 postmarket surveillance plan. Through a combination of analytic consulting services and automated monitoring tools, Harbor Labs safeguards deployed clinical systems from unexpected security issues that might compromise device safety, and ensures compliance with any applicable regulatory surveillance requirements.

  • Automated Firmware Security Analysis
  • Automated CVE and ICS Alert Monitoring
  • Post-Event Harm/Non-Harm Impact Testing and Analysis
  • Patch Model Strategy and Security
  • Regulatory Reporting and Disclosure Support
monitor-firmwareiq
    Common Vulnerabilities and Exposures (CVEs)
  • OS/RTOS Vulnerabilities
  • Application Vulnerabilities
  • Library Vulnerabilities
    Chipset Vulnerabilities
  • WiFi
  • Bluetooth
  • GPS
  • Baseband and Modem
  • Microcontrollers/ Microprocessors
    Cryptographic Vulnerabilities
  • Deprecated Cryptographic and Hashing Algorithms
  • Expired Certificates
  • Revoked Certificates
tablet-firmwareiq
FirmwareIQ and Postmarket Surveillance

FirmwareIQ provides the foundation for clinical device continuous threat monitoring. Employing a system of patented analytic engines, FirmwareIQ performs thousands of separate automated inspections of the target device software, identifying vulnerabilities and potential areas of weakness. The output is a comprehensive analytic report that categorizes, prioritizes and scores every area of weakness, misconfiguration and exploitable vulnerability within the device. The output is displayed in a graphically-intuitive report that is sortable, searchable and navigable, allowing users to quickly pinpoint the areas of greatest security concern.

FirmwareIQ generates a comprehensive record of the device, identifying each of the key attributes and technical characteristics that could serve as the basis for a future postmarket exploit. These attributes include the operating system(s), executables, libraries, chip set(s), cryptography and networking components, among other device characteristics. Once compiled, this record serves as the device’s attack surface and is the basis for Harbor Labs continuous threat landscape monitoring service.

Software Bill of Materials (BOM)

Using only the software binary, FirmwareIQ can unpack the device firmware and produce a high-fidelity reconstruction of the target file system. The SBOM is provided in tabular format as part of the FirmwareIQ security report, formatted for regulatory submission. The SBOM is sortable and searchable for quick reference and research by the end user, and serves as one of the inputs for Harbor Labs Postmarket Surveillance.

Vulnerabilities Disclosures

When Harbor Labs staff discovers a vulnerability and develops an exploit, we work with the client not only to remediate the vulnerability, but to ensure that it is properly reported and shared with the cyber community. Disclosures are conducted in a manner consistent with the client’s business process, while complying with post-market regulatory reporting requirements. Through our ongoing work with the regulatory community, Harbor Labs is committed to reporting newly discovered vulnerabilities to the appropriate oversight bodies and registered as CVEs to prevent future exploits.

Healthcare IT Security and Compliance
EHR and Healthcare IT Investigative and Litigation Consulting

Working with state and federal investigative organizations, regulatory agencies, and commercial healthcare IT clients, Harbor Labs has established an extensive resume in healthcare IT investigation and litigation consulting. Our staff of experts combines their expertise in healthcare, information security and litigation to provide clients with an unmatched level of support in EHR and healthcare IT-related cases. Whether working with investigators or representing the subject of an investigation, Harbor Labs provides a broad range of expert services to provide clients with the information necessary to resolve their healthcare IT investigative and litigation casework.

  • Target Systems
  • EHR/EMR Systems
  • Medical Billing Systems
  • Health Insurance IT Systems
  • Telehealth
  • Remote Monitoring Systems
  • Device-Connected Healthcare IT Systems
  • Therapeutic/Diagnostic Software Systems

With a long-standing corporate resume in the medical security market and an equally strong reputation in the legal and federal justice community, Harbor Labs is able to combine its expertise in healthcare, information security and litigation to provide clients with an unmatched level of support in EHR and healthcare IT cases.

Investigative and Litigation Support Services | Expert Testimony
  • Privacy and Security
  • Functional Specification Compliance
  • Code Reviews and Code Quality Assessments
  • System Performance Validation Testing
  • Compliance Testing Integrity
  • Information Sharing/Blocking
  • Information Sharing/Blocking
  • Proper Version Controls
  • Meaningful Use/Promoting Interoperability Eligibility
  • Healthcare IT Intellectual Property
  • Merit-Based Incentive Payment System (MIPS) Eligibility
  • Interoperability and CEHRT Compliance
Training Classes

In addition to being medical security experts, Harbor Labs training staff has taught coursework on information security at the university level and remain active in the academic community. While all Harbor Labs training is organized and presented in a format consistent with common academic standards, the coursework is often modified to focus on the specific training needs of the client, with customized content derived from a broad set of medical security disciplines. Choose from one of the following standardized training courses, or let Harbor Labs customize the coursework and content needed to meet the specific training needs of your organization.

Cybersecurity for Application Developers

(2 Days, 12 CPEs)

Topics Include:

  • Web Application Development
  • Cybersecurity Design Life Cycles
  • Secure Configuration and Policy Management
  • Proper Implementation of Cryptographic Protocols (SSL/TLS)
  • Authentication
  • Web-based Attacks
  • Secure Coding Practices
  • Vulnerability Assessment
  • Browser Security
Register

Medical Device Security

 

(1/2 Day)

Topics Include:

  • Security Nuances of Private, Semi-Private and Open Networks
  • Common Medical Device Exploits
  • Secure Design and Implementation
  • Encryption Functions
  • Key Management
  • Secure EHR Integration
  • Secure Network Protocols
  • Secure Patch Models
  • Pairing Protocols Security
  • Wireless Security
Register

UL 2900-2-1 Compliance

 

(1/2 Day)

Topics Include:

  • Submission Requirements
  • Schedule & Fees Management
  • UL CAP Testing & Evaluation Process
  • UL 2900-compliant design process
  • Disqualifying Designs and Performance
  • Resubmission
  • Marketing and Promotion of Certification
  • Postmarket Compliance
  • Interaction and Communication with the UL CAP Team
Register

Founded by Dr. Avi Rubin

Founded by medical security pioneers in 2011, Harbor Labs has grown to become a global name in medical device security, providing the cyber technologies that protect thousands of deployed clinical devices and healthcare systems.

Medical devices secured by Harbor Labs, and counting

Our Clients
a message from the CEO, Nick Yuran
Working with
Medical Security Blog