Case Study

Cybersecurity Hardening for FDA-Regulated Eye Scanning SaMD

Client Overview

  • Industry: Digital Health / Ophthalmic Diagnostics
  • Product: Cloud-based AI-powered eye scanning application (Software as a Medical Device)
  • Use Case: Retinal image analysis for early detection of diabetic retinopathy and other ophthalmic conditions
  • Users: Ophthalmologists, telemedicine providers, and diagnostic labs

A health tech startup developing an eye scanning SaMD platform sought to align with FDA requirements during the premarket submission process and improve postmarket cybersecurity readiness. With sensitive patient imaging and AI-powered diagnostics at stake, robust security was a core regulatory and operational priority.

Pre-FDA Approval: Premarket Cybersecurity Activities

Problem Areas Identified

  • Insecure API endpoints for image upload and retrieval
  • Inconsistent session handling logic led to session fixation issues
  • Imaging data stored temporarily in unencrypted cloud storage
  • No security risk management plan in place for SaMD classification

Cybersecurity Controls Implemented (Premarket)

01.

Threat Modeling & Risk Management (per FDA Guidance)

  • Conducted structured threat modeling aligned with FDA’s 2022 Cybersecurity Premarket Guidance
  • Defined and documented potential risks to:
    - Patient safety from unauthorized model manipulation
    - Data confidentiality (PHI in DICOM or image metadata)
    - Diagnostic integrity from tampered AI inputs/outputs
  • Created a Cybersecurity Risk Management File (CRMF) linked to the SaMD’s Design History File (DHF)
03.

Premarket Testing and Documentation

  • Conducted static and dynamic application security testing (SAST/DAST)
  • Performed third-party penetration testing
  • Submitted SBOM (Software Bill of Materials)
  • Included a cybersecurity use case traceability matrix
02.

Secure Design and Architecture

  • Encrypted imaging data-at-rest using AES-256
  • Role-based access control (RBAC) across user types (e.g., ophthalmologist, technician)
  • Secure boot and firmware validation for imaging devices
  • Used TLS 1.3 encryption and certificate pinning for all image and result transmission
04.

Increased Confidence and Trust

DreamTech gained increased confidence and trust from their customers and stakeholders, demonstrating their commitment to cybersecurity and protecting patient data. This strengthened their reputation as a trusted provider of cloud-based wireless sleep monitoring devices in the healthcare industry.

Post-FDA Approval: Postmarket Surveillance and Ongoing Security

Postmarket Security Strategy

Security Event Monitoring & Incident Response
  • Deployed a SIEM system
  • Defined and tested a coordinated vulnerability disclosure (CVD) process

  • Created an incident response plan with FDA reporting thresholds

Patch Management & Threat Intelligence
  • Introduced automated vulnerability scanning
  • Established patch release cycles

  • Subscribed to ISAC health sector threat feeds

Periodic Security Review
  • Conducted annual third-party security audits
  • Updated risk assessments per FDA Postmarket Cybersecurity Guidance

  • Maintained traceability of new threats to software changes

Impact

  • FDA SaMD submission accepted with cybersecurity risk controls validated
  • All critical vulnerabilities mitigated premarket; none discovered during initial 12 months post-launch
  • Audit-ready documentation maintained
  • Elevated trust from clinics and hospitals adopting the AI-driven diagnostics solution

Reusability

  • A corneal scan-based AI platform
  • A low-connectivity mobile eye care unit The modular design supports FDA, EU MDR, and Health Canada cybersecurity expectations.

Conclusion

This case illustrates the necessity of building cybersecurity into both the design and lifecycle management of Software as a Medical Device (SaMD). Aiyanaar’s intervention helped the eye scanning startup secure FDA approval, fortify patient safety, and scale confidently into clinical settings—all while maintaining a security posture ready for evolving threats.

Let's Collaborate

Got a project?

Get a Quote

We’re a team of creatives who are excited about unique ideas and help fin-tech companies to create amazing identity by crafting top-notch UI/UX.

Back

Leave a Reply

Your email address will not be published. Required fields are marked *

You don't have credit card details available. You will be redirected to update payment method page. Click OK to continue.