Ophthalmic Devices cybersecurity.

• OCT, fundus, and slit-lamp imaging systems
• Refractive and cataract surgical lasers
• Visual-field and electrophysiology diagnostics
• AI-assisted DR / AMD / glaucoma screening
• Surgical guidance and IOL planning systems

• Device ↔ DICOM / PACS (image storage)
• Device ↔ EHR (HL7, FHIR)
• Device ↔ vendor remote support (tunnel, MFA)
• Device ↔ AI add-on module (signed artifacts)
• Device ↔ USB / removable media (controlled, logged)

Do ophthalmic devices need DICOM-specific testing?

Yes - we include DICOM service fuzzing and authorization tests when DICOM is in scope.

How do you scope a surgical-laser cyber engagement?

We focus on the control system, service interfaces, and any networked planning workflow - with safety-critical control paths exercised on staging hardware only.

What about OCT and fundus image data on the cloud?

Cloud-stored ophthalmic images are treated as PHI: encryption at rest and in transit, tenant isolation testing, and authorization checks on every read path.

Are USB and serial service interfaces in scope?

Yes - they're a common path to privileged access. We verify they're authenticated, locked down on shipped product, and documented in labeling.

How do you support a 510(k) for an OCT or imaging device?

Threat model, SBOM, security architecture views, and a pen test focused on DICOM, network, and service surfaces - all packaged for eSTAR.

Do you cover the in-clinic workstation?

When the workstation is part of the cleared system or recommended configuration, yes - OS hardening, application allowlisting, and remote-access review are typical.