Company
SOPs
Cybersecurity (Regulatory)
Cybersecurity (Technical)
Cybersecurity (Misc)
200
In which state is Innolitics incorporated as a business?
Texas
200
True or False. Once your PTO request on Gusto is approved, you don't need to also create a PTO entry on your Harvest timesheet.
False.
200
True or False. The FDA requires cybersecurity documentation for all software devices per the latest guidance.
False. It only requires them for "cyber" devices. If any of the following apply:
Cloud Communication
Network connection (active or not)
Wireless communication in any form
USB/serial ports/removable media
Software upgrades (this includes patches)
200
What is the name for tricking people into revealing information through fake emails or messages?
Phishing
200
True or False. If supported by the threat model, the FDA will sometimes allow security risks and safety risks to be assessed together
False.
400
Our mission is to accelerate progress in the medical device industry by... (state 2 of of the 3 bullet points)
- Providing quality services to our clients
- Creating Tools
- Sharing Knowledge
400
How often should one-one-one's be held?
Every week or every other week.
400
True or False: In a Special 510(k) submission, the latest FDA cybersecurity guidance requires you to include cybersecurity documentation, no matter what kind of change you’re making.
False. You might be able to omit depending on the nature of the modification.
400
What type of attack involves overwhelming a system with traffic to make it unavailable?
Denial of Service
400
True or False. If a medical device has a USB port, it is automatically considered a "cyber" device.
True
600
List the exact names of at least 3 of Innolitics' services as it appears in the Notion database.
AI/ML Regulatory Strategy
Fast 510k
Guided 510k
Initial Regulatory Assessment
Project Based Software Dev
Staff Augmentation
End-to-end SaMD Dev
FDA Cybersecurity Remediation
Project-based Regulatory
QMS Implementation & Support
600
True or False. These are the standard Innolitics holidays as listed in the handbook.
- New Years Day
- Memorial Day
- July Fourth
- Labor Day
- Veterans Day
- Thanksgiving Day
- Christmas Eve
- Christmas Day
False.
Black Friday is missing and Veterans Day is not on our list (it's a floating day option).
600
Explain why the FDA doesn't like the use of probabilities when assessing security risks?
The FDA avoids using probabilities for security risks because cyberattacks involve unpredictable human actions that can’t be reliably estimated from historical data or models. They want you to use exploitability instead.
600
What’s the difference between encryption and hashing?
Answers vary.
Encryption can be decrypted back to the original data; hashing is one-way
600
In which sub-section of the eSTAR would you list your device's electronic interfaces, whether they're active or not, etc?
Cybersecurity > Interoperability
800
What is the name of our newsletter?
Medtech Insider Insights
800
What are the 3 core principles of internal communication at Innolitics?
Respectful, Timely and Proactive, Transparent
800
State all 8 of the cybersecurity control categories.
A) Authentication controls:
B) Authorization controls:
C) Cryptography controls:
D) Code, data, and execution integrity controls:
E) Confidentiality controls:
F) Event detection and logging controls:
G) Resiliency and recovery controls:
H) Firmware and software update controls:
800
What does MITM stand for an explain it?
Man in the middle attack.
A man-in-the-middle (MITM) attack happens when an attacker secretly intercepts and possibly alters the communication between two parties who believe they’re talking directly to each other.
Example:
A hacker sets up a fake Wi-Fi, you connect, and they intercept and read your unencrypted data.
800
Explain the multi-patient harm view.
When devices are capable of connecting (wired or wirelessly) to another medical or non-medical product, to a network, or to the Internet, there is the possibility that multiple devices can be compromised simultaneously. Because of that connectivity, if a device is compromised, the device may introduce a safety risk to patients through security risk.
We’ve generally restricted “multi-patient harm” to mean a cybersecurity incident where multiple patients are harmed “simultaneously or in rapid succession”.
A multi-patient harm view demonstrates what security controls are in place to protect against multi-patient harm. E.g., it could be a sequence diagram showing the relevant connections and the location of controls.
1000
What is the exact heading/title on the Innolitics home page hero banner?
Medical Device Software and AI Experts
1000
In the Internal Communication SOP, which exact shrug emoji is listed to express "No Idea / Ignorance"?
A.
B.
C.
A
1000
State at least 2 boilerplate cybersecurity deficiencies that the FDA likes to throw out in AINNs.
Inadequate use of probabilities for cybersecurity risk assessment.
Missing software support status and end-of-support dates in SBOM.
Penetration testing missing.
Missing security architecture views like multi-patient harm and security use case views.
Incomplete cybersecurity labeling.
OTS software not assessed for vulnerabilities from vulnerability DB like NIST.
Insufficient security controls in one or more of their categories.
Safety and security risks assessed together
1000
Which is considered secure today and which is insecure: AES-GCM or AES-ECB?
AES-GCM is secure; AES-ECB is insecure because it reveals patterns in the data. Famous penguin example.
1000
Other than penetration testing, the FDA lists 3 other types of cybersecurity testing in the eSTAR. List all 3.
Cybersecurity testing includes but may not be limited to security requirement testing, threat mitigation testing, vulnerability testing, and penetration testing.