Company
SOPs
Cybersecurity (Regulatory)
Cybersecurity (Technical)
Cybersecurity (Misc)
200

In which state is Innolitics incorporated as a business?

Texas

200

True or False. Once your PTO request on Gusto is approved, you don't need to also create a PTO entry on your Harvest timesheet.

False.

200

True or False. The FDA requires cybersecurity documentation for all software devices per the latest guidance.

False. It only requires them for "cyber" devices. If any of the following apply:

Cloud Communication

Network connection (active or not)

Wireless communication in any form

USB/serial ports/removable media

Software upgrades (this includes patches)



200

What is the name for tricking people into revealing information through fake emails or messages?

Phishing

200

True or False. If supported by the threat model, the FDA will sometimes allow security risks and safety risks to be assessed together

False.
400

Our mission is to accelerate progress in the medical device industry by... (state 2 of of the 3 bullet points)

  • Providing quality services to our clients
  • Creating Tools
  • Sharing Knowledge
400
How often should one-one-one's be held?

Every week or every other week.

400

True or False: In a Special 510(k) submission, the latest FDA cybersecurity guidance requires you to include cybersecurity documentation, no matter what kind of change you’re making.

False. You might be able to omit depending on the nature of the modification.

400

What type of attack involves overwhelming a system with traffic to make it unavailable?

Denial of Service

400
True or False. If a medical device has a USB port, it is automatically considered a "cyber" device.

True

600

List the exact names of at least 3 of Innolitics' services as it appears in the Notion database.

AI/ML Regulatory Strategy

Fast 510k
Guided 510k
Initial Regulatory Assessment
Project Based Software Dev
Staff Augmentation
End-to-end SaMD Dev
FDA Cybersecurity Remediation
Project-based Regulatory
QMS Implementation & Support

600

True or False. These are the standard Innolitics holidays as listed in the handbook.

  • New Years Day
  • Memorial Day
  • July Fourth
  • Labor Day
  • Veterans Day
  • Thanksgiving Day
  • Christmas Eve
  • Christmas Day

False. 

Black Friday is missing and Veterans Day is not on our list (it's a floating day option).

600

Explain why the FDA doesn't like the use of probabilities when assessing security risks?

The FDA avoids using probabilities for security risks because cyberattacks involve unpredictable human actions that can’t be reliably estimated from historical data or models. They want you to use exploitability instead.

600

What’s the difference between encryption and hashing?

Answers vary.

Encryption can be decrypted back to the original data; hashing is one-way


600

In which sub-section of the eSTAR would you list your device's electronic interfaces, whether they're active or not, etc?

Cybersecurity > Interoperability

 

800

What is the name of our newsletter?

Medtech Insider Insights

800

What are the 3 core principles of internal communication at Innolitics? 

Respectful, Timely and Proactive, Transparent

800

State all 8 of the cybersecurity control categories.

A) Authentication controls: 

B) Authorization controls: 

C) Cryptography controls: 

D) Code, data, and execution integrity controls: 

E) Confidentiality controls: 

F) Event detection and logging controls: 

G) Resiliency and recovery controls: 

H) Firmware and software update controls:

800

What does MITM stand for an explain it?

Man in the middle attack.

A man-in-the-middle (MITM) attack happens when an attacker secretly intercepts and possibly alters the communication between two parties who believe they’re talking directly to each other.

Example: 

A hacker sets up a fake Wi-Fi, you connect, and they intercept and read your unencrypted data.

800

Explain the multi-patient harm view.

When devices are capable of connecting (wired or wirelessly) to another medical or non-medical product, to a network, or to the Internet, there is the possibility that multiple devices can be compromised simultaneously. Because of that connectivity, if a device is compromised, the device may introduce a safety risk to patients through security risk.

We’ve generally restricted “multi-patient harm” to mean a cybersecurity incident where multiple patients are harmed “simultaneously or in rapid succession”.

A multi-patient harm view demonstrates what security controls are in place to protect against multi-patient harm. E.g., it could be a sequence diagram showing the relevant connections and the location of controls.

1000
What is the exact heading/title on the Innolitics home page hero banner?

Medical Device Software and AI Experts

1000

In the Internal Communication SOP, which exact shrug emoji is listed to express "No Idea / Ignorance"?

A. B. C.

A

1000

State at least 2 boilerplate cybersecurity deficiencies that the FDA likes to throw out in AINNs.

Inadequate use of probabilities for cybersecurity risk assessment.

Missing software support status and end-of-support dates in SBOM.

Penetration testing missing.

Missing security architecture views like multi-patient harm and security use case views.

Incomplete cybersecurity labeling.

OTS software not assessed for vulnerabilities from vulnerability DB like NIST.

Insufficient security controls in one or more of their categories.

Safety and security risks assessed together

1000

Which is considered secure today and which is insecure: AES-GCM or AES-ECB?

AES-GCM is secure; AES-ECB is insecure because it reveals patterns in the data. Famous penguin example.


1000

Other than penetration testing, the FDA lists 3 other types of cybersecurity testing in the eSTAR. List all 3.

Cybersecurity testing includes but may not be limited to security requirement testing, threat mitigation testing, vulnerability testing, and penetration testing.

M
e
n
u