Eliminate uncertainty with custom decision trees

We work with you to create a decision tree that meets your needs, adapting to your data, product info, and logic. Get the Medcrypt advantage with a more scalable, evidence-based, and repeatable product cybersecurity assessment.

Contact us >

Take your risk mitigation to the next level

With our bespoke decision trees, we enable you to proactively identify risks and opportunities. We work with you to model the decision tree based on your data, logic, and products, producing repeatable and reliable results.

See case study   >

Increased efficiency and ease-of-use

Our decision tree methodology has proven to be easier to use than traditional error-prone scoring methods, while reducing reliance on human experts, and increasing efficiency. It also enabled capturing and integrating qualitative inputs better.

Eliminate cybersecurity uncertainty & rework

Making changes to your current product development to support new FDA regulations, such as adding a cloud-based patching strategy, can be costly and have a significant impact on your resource and budget planning.

Proactive and effective stakeholder communication

Decision trees provide a clear and simple communication tool for internal and external stakeholders, increasing regulatory confidence in your risk management approach.

Save potentially months of R&D opportunity costs

Using our decision tree methodology, medical device manufacturers have shown that they can save up to 8-12 months of R&D opportunity costs.

Eliminate unexpected delays & get to market faster

As you’re working your way through the new FDA cybersecurity requirements, our decision tree helps you feel confident that you’re making the right changes to your strategy to meet regulatory requirements.

Increased return on investment

Using our decision tree preserved or reduced patient risk, minimized additional costs to patients, and maintained or improved business outcomes, including cost of goods sold (COGS), timelines, and project scope.

Why should I use a decision tree instead of scoring methods?

  • Scoring methods are based on individual human judgment, thus are not scientifically sound and repeatable. They are also not scalable, relying on constant use of human experts.

  • You run the risk of missing critical issues, as well as the FDA disagreeing with your risk scoring, all of which impacts your bottom line.

Avoid unexpected delays by ensuring you’re making risk management decisions you and others can trust.

CASE STUDY

Helping our customers succeed

Don’t just take our word for it. Our MDM client saved up to 12 months in R&D opportunity cost using one of our custom decision trees. They were able to make strategic changes that they felt confident would not impact timelines significantly and would help them meet FDA cybersecurity regulations.

Challenge: Determine the most effective device patching strategy to meet FDA requirements

Problem: Devices did not support over-the-air updates for patching

This MDM’s devices did not support secure over-the-air (OTA), or cloud-based, updates. Adding OTA capabilities across all device lines would significantly impact their development timelines, which would in turn delay their time-to-market.

However, with the new FDA cybersecurity regulations, particularly around patching strategies, they were worried that with their current non-wireless system of updating, they would not get FDA approval for their devices. Could they make smaller, less system-wide changes that would meet cybersecurity requirements while not putting them getting their devices to market in a timely manner in jeopardy?

Client’s original approach: Prone-to-error scoring

This MDM was using an error-prone scoring method and threshold to determine the products that were at highest regulatory risk, possibly requiring strategic shifts which would significantly impact R&D costs and time-to-market.

Because their method was based on individual human judgment, it was not scientifically sound and repeatable, thus they also ran the risk of the FDA disagreeing with their risk scores, which would further impact their bottom line.

Our scalable, repeatable solution

Results:

Our client was able to maintain their product development timelines. Where they did need to delay timelines, they were able to demonstrate ROI with reduced regulatory risk.

Using decision trees preserved or reduced patient risk, minimized additional costs to patients, and maintained or improved business outcomes, including cost of goods sold (COGS), timelines, and project scope.

Where the client did determine they needed to implement OTA capabilities, they felt confident in the value of this investment, as well as decreased uncertainty of regulatory rejection. This enabled them to realize a savings of 6 to 12 months of R&D opportunity cost.

Decision tree:

We developed a bespoke decision tree that adapted the MDM’s existing data, logic, and product information to model their decision ecosystem, thereby enabling them to accurately see the risks that would result from each decision, eliminating uncertainty and speeding time-to-market.

Meet our experts

Our team of former FDA analysts and reviewers provides the best-qualified, credentialed, and experienced product security benefit-risk assessment in the world.
Contact us today   >
Naomi Schwartz
Sr. Director of Cybersecurity Quality and Safety
Naomi is a regulatory, compliance, and standards expert. She employs gap analyses, proposes mitigation strategies, and optimizes cybersecurity frameworks to address risk and uncertainty for device commercialization and to meet regulatory requirements and guidelines. Naomi has 20+ years of systems engineering experience.

Prior to Medcrypt, she was a premarket reviewer and consumer safety officer in CDRH for 6+ years, focusing on software, interoperability, and cybersecurity for connected diabetes devices. Her industry leadership and strategic direction include crafting standards and recommended practices for wireless diabetes device security, managing postmarket triage for cybersecurity vulnerability disclosure. She holds an MS in Electrical and Computer Engineering from Carnegie Mellon University and is a Certified Quality Auditor.
Seth Carmody, PhD
VP, Regulatory Strategy
Seth has 10 years of medical device experience and provides strategic direction for cybersecurity products and services for the regulated device market.

Prior to Medcrypt, he spent 8 years at the FDA, architecting technology policy and laws that impact software-enabled medical devices, including the FDA’s medical device cybersecurity policies. His industry leadership and strategic direction extends to several high-profile industry frameworks including the Joint Security Plan (HSCC), MITRE’s Rubric for Applying CVSS to Medical Devices, and MDIC’s Playbook for Threat Modeling Medical Devices. He has authored several medical device cybersecurity papers and won several information security awards. He holds a PhD in Chemistry from Indiana University.
Cynthia Peralta
Sr. Director, Encryption, Key Management and PKI
Cynthia is a Public Key Infrastructure and cybersecurity expert. She provides critical and high-value insight and design of cybersecurity components, including cryptography and key management, that form the basis of security trust. She has 24+ years of experience in enterprise application, systems security, embedded device security, and device architecture & design. She handles FDA letters, including Refuse to Accept letters.

Prior to Medcrypt, she worked at several Forbes top 100 global organizations, including GE Digital, where she built out GE Healthcare’s encryption, key management, and PKI infrastructure.
Matt McKenna
Sr. Director, Product Security
Matt is a threat modeling and risk management expert. He supports clients in their journey to adopt a total quality framework, which is  necessary to go to market with reasonable and planned resources and cost. He also handles FDA letters, including Refuse to Accept letters.

Prior to Medcrypt, he led cybersecurity, technology direction, and national security efforts at a number of companies, including MITRE, National Grid, and Becton Dickenson. He holds a BA in Computer Science from Rhode Island College.
AJ Reiter
Director, Strategy and Organizational Transformation
AJ specializes in enterprise digital transformation, program development, continuous process improvement, and cybersecurity. He assesses organizational security and implements actionable transformation plans and services to achieve executive targets.

Prior to Medcrypt, he spent five years doing management consulting, providing comprehensive business transformation services to Fortune 500 clients in various industries, including Pharmaceuticals, Defense, Consumer Packaged Goods, and Medical Devices. He has a BS in Economics from Georgetown University, where he captained the 4x national champion Georgetown Sailing Team.