Service
Hospital and lab security review readiness for medical device, SaMD, and IVD startups.
What hospital and lab CISO buying centers ask for.
Enterprise buyers like Integrated Delivery Networks, Academic Medical Centers, reference laboratories, and regional health systems route every networked medical device through a security review before it touches the production network. The exact contents vary by hospital, but a typical request includes:
- HITRUST or ISO 27001 evidence, whether readiness work is in progress or certification has been issued by the appropriate body
- NIST 800-53 alignment documentation
- An MDS2 response with company-side sections prepared and device-firmware sections supplied by R&D and Engineering
- An SBOM for the device software, generated by R&D and Engineering
- A documented breach response plan
- BAAs where PHI or ePHI is involved and counsel confirms the company’s HIPAA role
- Network architecture documentation
- IAM, MFA, and access control evidence
- Incident response runbook
What Inoculis prepares.
We prepare the company-side evidence: identity and access management posture, network architecture, vendor security questionnaire response library, breach response plan, BAA inventory, security awareness training records, and the framework-readiness evidence (HITRUST, ISO 27001, SOC 2, NIST 800-53).
We coordinate with R&D, Quality, and Regulatory on the device-specific artifacts. The MDS2 is a hybrid document: company-side answers (security policies, training, network architecture) come from us; device-firmware answers (cryptography, authentication on the device, embedded software lifecycle) come from R&D and Engineering. The SBOM for device software is generated by R&D. We help organize the response, integrate it with the company-side evidence, and make the package easier to review internally before it goes to the customer.
Boundary
What this is not.
The first MDS2 response is multi-week work. Inoculis prepares company-side responses and coordinates with R&D on device-firmware sections. Later questionnaires move faster because the response library exists.
We do not author FDA premarket cybersecurity submissions. We do not generate SBOMs for device software. We do not certify the company, guarantee hospital acceptance, or guarantee that any specific customer will approve the package.
Who this page is for.
Founders 6 to 18 months before a planned hospital, lab, or health system pilot, who have not yet built the company-side evidence library and cannot name the CISOs at their next three customers.