Cybersecurity issue related to Amazon Cloud

A security company indicated the following:

… many companies received emails from Amazon indicating that their AWS S3 bucket policies were left configured as “publicly accessible”. These publicly accessible policies allow potentially sensitive cloud data exposed to cybersecurity threats, and likely are not the intention of the Amazon customers.

Amazon recommended that each “bucket” policy be reviewed as well as contents within each S3 bucket. Additionally, S3 buckets set to allow “Any Authenticated AWS User” is still effectively granting global access. Amazon’s advice is beneficial, particularly for medical device companies, and should trigger a review of not only the AWS policies and data within each bucket, but also overall software validation and cybersecurity review. AWS S3 clearly is a useful platform that medical device companies can utilize for immense scalability and reliability without the maintenance of in-house, dedicated servers. However, like any off-the-shelf software, the manufacturer should understand the potential safety risks and impact to the intended use of the medical software applications hosted on S3.

FDA has provided guidance on designing for cybersecurity and for maintaining cybersecurity in two separate guidance documents. SoftwareCPR® has particular expertise in cybersecurity and provides independent review and assessments of our clients’ security policies, procedures, secure architecture design, cyber controls, and can also provide various levels of penetration testing.

Our cybersecurity expert allows SoftwareCPR® to offer a full-service approach to assist your company with pre-market and post-market cybersecurity planning, evaluation, vulnerability and validation services. We combine extensive experience with FDA expectations for analysis and control of cyber vulnerabilities with state-of-the-art and highly sophisticated methods and experience. We can support small medical device startups to multi-national corporations, low risk to high risk and simple to complex devices. Our approach is risk-based, using risk and threat analysis early in the process to help prevent late-cycle changes that are costly.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.