- Industry: Digital Health / Medical Imaging
- Product: Cloud-based AI SaMD for detecting abnormalities in chest X-rays and CT scans
- Use Case: Supports radiologists by providing real-time triage suggestions and highlighting potential anomalies
- Regulatory Focus: FDA, EU MDR, and ISO 13485 compliance for SaMD
A health AI startup was developing a deep learning-based radiology platform intended for global distribution. As a SaMD, the platform needed to meet strict security, privacy, and reliability standards, especially due to the sensitivity of diagnostic data and regulatory oversight.
The initial prototype raised several concerns:
- Unencrypted DICOM image transmission during uploads and AI processing
- No audit trail for image access or diagnostic output generation
- Black-box AI outputs, which lacked integrity verification
- Lack of formal cybersecurity documentation in the premarket submission package
- No vulnerability management strategy in place for post-launch updates
These gaps posed a regulatory risk under FDA premarket cybersecurity guidance, increased breach potential, and weakened the platform’s trust among hospital IT security teams.
- Embedded security reviews at all design stages (requirements, architecture, implementation)
- Applied threat modeling (STRIDE) on cloud-based inference pipeline
- Documented mitigation of each identified cybersecurity risk in the Design History File
- Encrypted DICOM image storage and transit (AES-256 + TLS 1.3)
- Implemented fine-grained RBAC based on user roles (radiologist, admin, reviewer)
- Applied image watermarking and hash-based integrity checks to detect tampering
- Validated model input/output consistency across versions to prevent inference drift
- Integrated AI explainability layer to reduce reliance on black-box predictions
- Ensured reproducibility of diagnosis and logged decision trees for each scan
-
Built and submitted:
o SBOM (Software Bill of Materials)
o Cybersecurity Risk Management File (aligned to ISO/IEC 81001-5-1:2021)
o Penetration test reports by third-party firm
o Secure update mechanism documentation - Created and tested a cybersecurity use case traceability matrix
- Deployed a vulnerability monitoring system tied to CVE databases
- Established a patch deployment pipeline with rollback and audit logging
- Prepared a Coordinated Vulnerability Disclosure (CVD) policy and public contact point
- Ensured compliance with FDA Postmarket Cybersecurity Guidance (2023 revision)
- Achieved FDA and CE Mark approval for the SaMD platform within 6 months
- Reduced risk of AI model tampering or data leakage by >90%
- Built market trust with major hospital groups and imaging centers
- Achieved audit-ready cybersecurity posture for ISO 13485 and IEC 62304 alignment
- Security framework extended to a brain scan analysis tool for stroke prediction
- Reused architecture in a mobile lung scan triage platform for rural clinics
- Model validation and secure logging framework adapted to an oncology-focused SaMD
This case study demonstrates that integrating cybersecurity into the SaMD development lifecycle is not just about compliance—it is critical to product safety, user trust, and clinical adoption. Aiyanaar’s security-first strategy enabled a high-risk AI radiology product to succeed in multiple regulated markets with confidence.