A major manufacturer of kidney dialysis systems engaged with Harbor Labs to extend the functionality of their line of portable dialysis machines. These models were being designed specifically for home use, disconnected from clinical networks and operated by the patients themselves. With this use model, it was of critical importance that the device’s network connectivity and data storage be secure and compliant with regulatory standards.
The manufacturer contracted Harbor Labs to implement a secure network connection between the device and a cloud backend, which would be used by clinicians to monitor these devices, receive and store patient data, and push out secure software updates.
In addition to Harbor Labs’ medical device security expertise, the company is also expert in full-stack software development. The project began with a review of the client’s design, architecture, and software requirements. Then, Harbor Labs implemented a C library using a FIPS-certifiable version of OpenSSL, selecting both the cryptographic algorithms and key sizes. A build system was written using CMake that cross-compiled various architectures, including the client’s embedded architecture (arm and aarch6/arm64). Harbor Labs worked directly with the client’s software development group to integrate the solution into the target product line.
The final implementation significantly expanded the client’s product offering, allowing secure home-use of their medical device while complying with regulatory data privacy standards. This project was somewhat unique for Harbor Labs as it was not directly associated with an FDA regulatory submission. Harbor Labs was selected solely on the basis of the company’s diverse technical resume and the client’s desire to have best-practice security in their core product line.
Related Insights
Guidelines for Source Code Comparison in Litigation
Harbor Labs Director of Firmware Security Dr. Paul Martin describes the strategies, tools, and methodologies used at Harbor Labs when performing source code comparisons in support of litigation consulting and investigation engagements.
Guidelines for Source Code Quality Assessments
Dr. Paul Martin describes the strategies and computer science disciplines involved in performing a code quality assessment, and how these processes can be used to produced a defensible, evidence-based conclusion on the coding quality of a target codebase.
Why FDA Rejects the Cybersecurity Content of Regulatory Submissions
Harbor Labs Chief Scientist Dr. Avi Rubin identifies some of the most common reasons why the FDA rejects the cybersecurity content of regulatory submissions.