Case Study Details

“The cybersecurity audit and subsequent activities, including penetration and vulnerability testing of the system, as well as the drafting of cybersecurity-related documentation, has enabled us to prioritize improvements to the cybersecurity aspects of our system and successfully prepare for the product’s US FDA 510(k) Premarket Submission.”

Vice President, Development
Cerebra Medical

Trevor Bodz

Cerebra Medical

Background of the Project

Cerebra Medical designs, develops, and manufactures Electroencephalogram sleep monitoring systems and medical device software for collection and analysis of physiological data recorded during sleep. At the time of this project, the Cerebra Prodigy 2 Sleep System was cleared for by Health Canada for Clinical use as a Class 2 medical device. This project will enable the entry of the Prodigy 2 Sleep System to into the US Market via the FDA approval process, opening a very broad market-space for Cerebra to compete in.

Why Aversan?

Cerebra Medical wanted to have external resources audit their Prodigy 2 Sleep System to ensure a successful 510k submission to the US Food and Drug Administration (FDA). Cerebra was particularly focused on engaging experts within the medical device industry that had extensive expertise in the areas of Software, Verification and Cybersecurity. Given Aversan’s successful history of working in the Medical Industry, Cerebra selected Aversan to audit their DHF and complete the gaps assessment.

Scope of the Project

This work was divided into 3 phases, to allow Cerebra to manage the project, and to define the scope of future phases: In Phase 1, Aversan conducted an audit on the Cerebra Prodigy 2 Sleep System DHF against IEC 62304: 20151 and the FDA’s guidance for Cybersecurity in Medical Devices2,3 documenting findings, observations and recommendations for remediation.
Based upon the Phase 1 findings, Aversan was awarded Phase 2 of this project, to provide assistance in remediating the findings from the audit. Cerebra chose to engage in several solutions to expedite their remediations. Leveraging Aversan’s resource talents, staff augmentation was utilized by Cerbra to address documentation gaps and internal improvements.
In addition, Cerebra engaged Aversan on an additional phase to expand their test evidence, specifically targeting Cybersecurity requirements such as threat modelling and penetration testing of the Cerebra Sleep System.

Challenges

The project schedule was aggressive with durations of 4 and 8 weeks for Phase 1 and Phase 2, respectively. Aversan staffed the team with the required technical resources to support the project schedule needs. The team worked independently on both phases of the project and solicited input from the Cerebra team when necessary. The Aversan team completed the project deliverables on-time as per the original plan although the customer extended the schedule to complete their Phase 2 activities. The customer accepted the audit and penetration test reports and the drafts of the supporting documents with minimal comments.

Results & Conclusion

To meet their business goals, Cerebra needed to kick off, conduct the audit, identify gaps, and remediate findings within an aggressive timeframe. The reports’ short/long term recommendations and categorized audit findings (Major, Minor, Opportunity for Improvement and Good Practice) facilitated prioritization of the work performed by the Cerebra’s team. Aversan was able to quickly setup infrastructure and scale the team based on the project needs to meet Cerebra’s target dates. The inclusion of the FDA 2018 draft guidance in the audit report provided Cerebra Medical with the option to demonstrate its product design considering future requirements for aspects of cybersecurity and the medical device standards . It also provides additional feedback and enables Cerebra to address any gaps in their product’s design history files before the audit