TNI Medical AG develops solutions in the field of respiratory therapy with the aim of supporting the treatment of patients in everyday life. In addition to the functionality of the products, topics such as information security and regulatory requirements are becoming increasingly important, particularly with regard to audits by notified bodies.

This was precisely the task facing the Masimo softFlow system: the existing cybersecurity requirements needed to be fully and comprehensibly mapped in the technical documentation, particularly in the risk management file. TNI Medical commissioned the BAYOOMED team to carry out a gap analysis in order to identify potential gaps at an early stage.

As part of the project, the current state of cybersecurity was systematically assessed. The main focus was on the question of where risks can arise – especially where data enters or leaves the system, for example via USB or SD interfaces.

We also looked at how cybersecurity risks are taken into account in existing risk management and what measures are already defined to protect data and ensure system stability.

A central component of the activities was the consideration of the external software components used in the product. The focus here was on creating a Software Bill of Materials (SBOM) specially tailored to the firmware framework used. This involved determining which components and libraries are actually used in the firmware stack.

In addition, the establishment of an SBOM analysis process was considered: i.e. how known vulnerabilities can be specifically searched for and evaluated on the basis of the SBOM created, for example by comparing them with relevant databases such as CVE and NVD.

Another part of the analysis concerned the handling of software throughout its entire life cycle. This included the question of how updates and patches are implemented and whether changes to the software can be tracked properly.

The handling of known vulnerabilities was also examined. For this purpose, processes were analyzed with which information from databases such as BfArM, MAUDE or NVD CVE is evaluated. The decisive factor here was whether this information is specifically applied to the software components used in the product – including external libraries (SOUP).

We also looked at how TNI Medical communicates in the event of security-related updates or incidents – i.e. how customers are informed and what options are available for queries or support.

As in other projects, it became clear that coordination between the teams plays an important role – especially when it comes to topics that involve both technical and regulatory aspects.

Sebastian Wittor, Senior Project Manager Medical Engineering at BAYOOMED

The cooperation was also well received by TNI Medical.

Ewald Anger, CEO of TNI medical:

The results were summarized in a gap and risk assessment report. This serves as a basis for TNI Medical to specifically address identified points and to further complete the documentation with regard to the upcoming audit.