Medical Device Services

CRYPTOBOM TOOL

Know your device's crypto exposure before the FDA reviewer does

CryptoBOM scans medical device firmware binaries and produces a structured Cryptographic Bill of Materials. Every ECDSA P-256, RSA-2048, and AES-128 instance is located to binary address, classified by post-quantum risk severity, and mapped to its NIST FIPS 203 or 204 replacement path.

CryptoBOM supports ELF, Intel HEX, S-record, and raw binary formats. Available in a limited evaluation edition and a full enterprise edition with fleet-wide batch scanning, FDA SBOM-ready JSON export, and IEC 62443-4-2 audit reports for connected device submissions.

Binary formats: ELF · Intel HEX · S-record · raw .bin
Output: JSON (FDA SBOM-ready) + Excel (IEC 62443 evidence) + MDR Art.5 audit package
Editions: Limited evaluation · Enterprise (unlimited scans + audit reports)

Request Evaluation Access Get Enterprise Access

$ cryptobom scan infusion_pump_fw_v3.1.elf --output report.xlsx [■■■■■■■■■■] Scanning 1.4 MB... QORONEX CryptoBOM v0.1 — Cryptographic Bill of Materials ───────────────────────────────────────────────────────── FINDINGS SUMMARY CRITICAL ██████ 6 findings REVIEW ████ 4 findings SAFE ██ 2 findings ───────────────────────────────────────────────────────── [CRITICAL] 0x3C10 ECDSA P-256 fn: mbedtls_ecdsa_sign → Replace: ML-DSA-65 (FIPS 204) [CRITICAL] 0x7A80 RSA-2048 fn: mbedtls_rsa_pkcs1_sign → Replace: ML-KEM-768 (FIPS 203) ───────────────────────────────────────────────────────── PQC-Ready: NO · Report: report.xlsx

CONSULTING

The security risk analysis your regulatory file is missing

ISO 14971 risk management and AAMI TIR57 security risk analysis were both defined before NIST published its post-quantum standards. The quantum-capable nation-state adversary does not appear in any current medical device security risk file. MDR Article 5 and FDA premarket guidance are increasingly interpreted to require post-quantum readiness.

PQ-SARA adds the quantum-capable nation-state (QCNS) adversary to your threat landscape, runs the risk assessment under ISO 14971 and AAMI TIR57, and delivers a complete FDA premarket and MDR/UKCA evidence package.

What you receive

Security risk analysis: quantum threat actor profile (QCNS) added
CryptoBOM Excel: crypto asset inventory for all scanned device firmware
Remediation roadmap: FIPS 203/204 migration by device priority
FDA premarket cybersecurity submission evidence package
MDR / UKCA Article 5 compliance evidence appendix
Executive summary: 2-page briefing for programme management

Engagements from £15,000. 6–8 week delivery.
First assessment slots available. Contact us to scope.

Crypto Inventory

CryptoBOM scan of all device firmware binaries. Every classical algorithm located, classified, and logged against the device's security functions.

Quantum Threat Profiling

Quantum-capable nation-state (QCNS) adversary profile constructed per AAMI TIR57 / ISO 14971 threat identification and integrated into the device threat landscape.

Risk Assessment

ISO 14971 / AAMI TIR57 security risk analysis updated with post-quantum findings. Asset categories, harm scenarios, and risk values updated and documented.

Compliance Report

FDA premarket cybersecurity evidence package and MDR/UKCA Article 5 compliance appendix. Deliverables reviewed and signed off with your team.

IN DEVELOPMENT · IEC 62304 DOCUMENTATION IN PROGRESS

ML-KEM and ML-DSA for IEC 62304 Class B and C medical device software

The cryptographic library your regulatory file actually needs — not just a working binary.

IEC 62304 CONFORMANT

IEC 62304 Conformant

Class B / C software lifecycle documentation package: SOUP analysis, traceable requirements, release notes, and change control records. Compatible with standard QMS processes including ISO 13485.

FDA / MDR READY

FDA / MDR Ready

NIST FIPS 203/204 Known Answer Test (KAT) validated. MISRA C:2012 compliant. Cybersecurity file evidence-ready for FDA 510(k)/PMA submissions and MDR Article 5 technical file appendices.

MULTI-PLATFORM

Multi-Platform

Target embedded platforms common in connected medical devices:

STM32L5 — Cortex-M33, 110 MHz
nRF5340 — Cortex-M33, 128 MHz
STM32L4 — Cortex-M4, 80 MHz
NXP Kinetis K/KL series — Cortex-M4/M0+

Join the early access list

SERVICES

Your migration is only as good as your last test

We test medical device systems specifically for post-quantum cryptographic weaknesses. Implantable communications, hospital wireless, clinical backend APIs. We look at whether the algorithms your device uses will survive a cryptographically relevant quantum computer, and whether your migration has actually closed the exposure.

Engagements from £20,000.

Request a scoping call

Implantable RF / BLE

Proprietary radio pairing and BLE pairing ceremony for cardiac, neural, and drug-delivery devices. Algorithm classification and HNDL exposure window assessment.

OTA Firmware Pipeline

Firmware signing algorithm, TLS cipher negotiation, update server PKI for connected devices. Harvest Now, Decrypt Later exposure window for stored firmware signing keys.

Hospital Network / DICOM

DICOM TLS cipher suite, PACS server certificate chain quantum-readiness classification, HL7 FHIR endpoint algorithm classification.

Cloud Backend / PHI

Patient data in motion: TLS cipher suites, certificate chain algorithm, backend PKI quantum-readiness. HNDL exposure window for stored PHI with long sensitivity periods.

Quantum-safe from firmware to clinical network