A major manufacturer of kidney dialysis systems engaged with Harbor Labs to extend the functionality of their line of portable dialysis machines. These models were being designed specifically for home use, disconnected from clinical networks and operated by the patients themselves. With this use model, it was of critical importance that the device’s network connectivity and data storage be secure and compliant with regulatory standards.
The manufacturer contracted Harbor Labs to implement a secure network connection between the device and a cloud backend, which would be used by clinicians to monitor these devices, receive and store patient data, and push out secure software updates.
In addition to Harbor Labs’ medical device security expertise, the company is also expert in full-stack software development. The project began with a review of the client’s design, architecture, and software requirements. Then, Harbor Labs implemented a C library using a FIPS-certifiable version of OpenSSL, selecting both the cryptographic algorithms and key sizes. A build system was written using CMake that cross-compiled various architectures, including the client’s embedded architecture (arm and aarch6/arm64). Harbor Labs worked directly with the client’s software development group to integrate the solution into the target product line.
The final implementation significantly expanded the client’s product offering, allowing secure home-use of their medical device while complying with regulatory data privacy standards. This project was somewhat unique for Harbor Labs as it was not directly associated with an FDA regulatory submission. Harbor Labs was selected solely on the basis of the company’s diverse technical resume and the client’s desire to have best-practice security in their core product line.
Harbor Labs Director of Firmware Security Dr. Paul Martin describes the strategies, tools, and methodologies used at Harbor Labs when performing source code comparisons in support of litigation consulting and investigation engagements.
This white paper addresses best practices for ensuring cybersecure and cybersafe medical device design to mitigate the risk of compromise or misuse.
HarborLabs provided extensive technical litigation support to Apple in their recent case against Epic. Learn more about the case, our contribution, and read excerpts of the testimony provided by HarborLabs Chief Scientist, Dr. Avi Rubin.