CUSTOMER STORY
Identifying Medical Device Vulnerabilities for Faster FDA Approval
A medical device manufacturer wanted to accelerate its time to FDA approval by reducing its attack surface and minimizing the severity of vulnerabilities in its devices—all without delaying product timelines or straining development resources. By running RunSafe’s Risk Reduction Analysis, the company was able to quickly identify vulnerabilities in their software and see the potential effectiveness of RunSafe mitigations for protecting legacy devices without changing code or disrupting device performance.
The Challenge
A medical device manufacturer needed to accelerate its time to FDA approval. To do so, the company was looking to reduce its device attack surface and minimize vulnerability severity, particularly in legacy systems with known weaknesses.
Legacy Devices Exposed to Cyberattack
With legacy medical devices operating in clinical environments, the manufacturer faced growing cyber risk from unpatched software components, any of which could compromise patient safety or delay regulatory approval.
Limited Visibility into Vulnerabilities
The device manufacturer was looking for full visibility into vulnerabilities in the device software, including third-party components, to accurately assess the device’s risk posture.
Risking Time to Market
To remain competitive and meet regulatory timelines, the company needed a solution that could reduce the attack surface and mitigate vulnerabilities—without introducing performance issues or derailing development workflows critical to FDA approval.
Industry
Medical Device
Key Features
- Vulnerability Analysis: Identified exploitable vulnerabilities to support FDA approval and prioritize remediation efforts
- Risk Mitigation: Demonstrated how vulnerabilities could be mitigated without altering source code
- Legacy Protection: Revealed potential risk reductions by deploying runtime protection to secure legacy medical devices without requiring refactoring or rewriting
The Solution
To help the manufacturer meet FDA expectations and reduce its risk posture, RunSafe Security conducted a comprehensive vulnerability analysis as part of its Risk Reduction Analysis.
Using the manufacturer’s SBOM and associated vulnerability data, RunSafe identified and evaluated over 2,000 vulnerabilities present in the device. The analysis identified the vulnerabilities that posed critical risks, particularly those related to memory safety, and the risk reductions that could be achieved by applying RunSafe’s runtime code protection to mitigate them.
Of the vulnerabilities RunSafe identified, 53 were critical vulnerabilities, with 77% of those critical vulnerabilities related to memory safety.
Memory safety issues included:
- CWE-119: Improper Restriction of Operations within Memory Bounds (10 vulns)
- CWE-120: Classic Buffer Overflow (8 vulns)
RunSafe’s Risk Reduction Analysis also demonstrated how software exposure could be reduced by applying RunSafe’s runtime protections. For example, 49% of the vulnerabilities found in the device would be mitigated by applying RunSafe Protect, which would resolve 77% of critical vulnerabilities in the device.
The Results
By running a RunSafe Risk Reduction Analysis, the medical device manufacturer received insight into total vulnerabilities in its device, the severity of vulnerabilities, and the potential to reduce risk in its software by applying runtime code protection.
With this information, the medical device manufacturer could make informed security decisions to
Significantly reduce the device’s attack surface
Accelerate time to market for FDA approval
Reduce developer time focused on manually chasing vulnerabilities, patching, and retesting
Apply protection against both known CVEs and zero-day threats
About the Customer
The company is a global healthcare provider that manufactures critical devices for patient care.