Closing the Cybersecurity Gap in Robotic Surgery: How Malkan Solutions Helped a Global MedTech Leader Get Control of Its Software Vendors

A global medical device company specializing in robotic-assisted surgery and automation approached Malkan Solutions with a growing concern: their cybersecurity posture around third-party software vendors was not keeping pace with the complexity of their systems or the expectations of regulators and customers.

They had a world-class engineering organization, a strong quality system, and a global installed base of robotic surgical platforms. What they didn’t have was a consistent, repeatable way to evaluate, monitor, and improve the cybersecurity controls of the software vendors embedded throughout their ecosystem.

Malkan Solutions was engaged to design and execute a structured program to close this gap—anchored in SOC 2 and medical device cybersecurity expectations, and delivered within a defined budget and timeline.

The Challenge: A Big Organization, Big Risk, and Fragmented Cybersecurity Controls

The client’s environment had all the classic characteristics of a large, successful medtech company:

• Multiple business units using different cloud and on-premise applications

• A long list of third-party software vendors supporting everything from clinical applications to internal business systems

• Parallel requirements from customers, regulators, and internal stakeholders (IT, Quality, Security, RA/QA)

Despite strong internal security controls, several pain points had emerged:

• Inconsistent supplier evaluations – Different groups used different checklists, criteria, and depth of review for software vendors.

• Limited linkage to SOC 2 and FDA expectations – Vendor assessments were not systematically mapped to SOC 2 Trust Services Criteria or FDA cybersecurity guidance for medical devices.

• CAPA follow-up was ad-hoc – Findings from audits and assessments were documented, but remediation actions were not always tracked to closure in a structured way.

• Audit readiness risk – Customer security reviews and external audits increasingly asked for centralized evidence of vendor cybersecurity due diligence and monitoring.

A Diverse Vendor Landscape: From Small Specialists to Global Platforms

A major complexity driver was the wide range of vendor types and maturity levels:

• Small and niche software companies

  • Lean teams, often without formal security staff

  • Limited familiarity with SOC 2, FDA expectations, or medical device–grade cybersecurity

  • Needed education on why the client was asking detailed security questions and how their controls directly affected patient safety and regulatory risk

• Mid-sized SaaS and infrastructure providers

  • Some security processes in place (e.g., basic controls, partial SOC reports)

  • Inconsistent coverage across SOC 2 criteria and medical device–specific needs

• Large, global technology and platform providers

  • Mature security programs and formal attestations

  • Complex organizations where just gathering the right data required coordination across legal, security, compliance, and product teams

This variability created two distinct challenges:

1. Education and change management for smaller vendors

   • Explaining the rationale for medical device cybersecurity expectations

   • Helping them understand terminology (e.g., SBOMs, vulnerability disclosure, secure update mechanisms)

   • Guiding them to provide usable evidence without overwhelming their limited resources

2. Structured coordination for large enterprises

   • Identifying the right contacts across multiple departments

   • Aligning their existing SOC 2 and security documentation with the client’s specific requirements

   • Managing multiple calls and iterations simply to get complete, consistent answers

Malkan Solutions had to design a process that worked for this full spectrum—simple and educational for smaller vendors, yet rigorous and scalable enough for large, complex organizations.

Our Approach: Structured, Hands-On, and “Surgical” Execution

Malkan Solutions led the engagement end-to-end, from initial discovery through remediation and monitoring. The work was organized into clear phases, each with defined outputs and owners.

1. Building the Supplier Cybersecurity Inventory

We started by creating a single, consolidated view of all in-scope software vendors:

• Collected existing supplier lists from purchasing, IT, security, and quality

• Normalized naming, removed duplicates, and tagged each supplier by:

  • Business criticality

  • System type (clinical, manufacturing, internal business, infrastructure, etc.)

  • Data sensitivity and connectivity (PHI/PII, network exposure, cloud dependencies)

  • Vendor profile (small specialist, mid-sized provider, large enterprise) to anticipate the level of support and coordination required

This produced a risk-ranked vendor inventory, which became the backbone of all further work.

2. Standardizing the Supplier Cybersecurity Audit Framework

Using Malkan Solutions’ templates and the client’s existing forms, we created a standardized cybersecurity evaluation approach for software suppliers, aligned to:

• SOC 2 Trust Services Criteria (Security, Availability, Confidentiality)

• Medical device cybersecurity expectations, including:

  • Secure development practices

  • Vulnerability management and patching

  • SBOM (Software Bill of Materials) practices where applicable

  • Incident response and notification commitments

  • Data protection and access control measures

We tuned the framework so it could scale across vendor types:

• A core question set required for all vendors

• Deeper, risk-based extensions for higher-risk or more complex vendors

Deliverables included:

• A unified Supplier Cybersecurity Evaluation Form

• A risk-based evaluation schedule (high-risk vendors assessed more frequently and in greater depth)

• Practical guidance for internal teams and auditors to interpret supplier responses consistently, regardless of size or cybersecurity maturity.

3. Executing Supplier Audits and Assessments

Working closely with the client’s supplier quality and security teams, we:

• Conducted document-based assessments and remote audits using the standardized framework

• Reviewed existing SOC 2 reports, penetration test summaries, and internal security documentation from vendors

• Identified gaps against both:

  • SOC 2 expectations (e.g., logging, access control, change management), and

  • Medical device cybersecurity needs (e.g., patch timelines for fielded devices, secure update mechanisms, vulnerability disclosure processes)

For smaller vendors, this often meant hands-on guidance and education about what “good” looks like in a medical device context.For large vendors, it meant coordination with multiple stakeholders to obtain complete and consistent information.

Each audit resulted in a clear, prioritized set of findings linked to specific control requirements.

4. CAPA Management and Remediation Follow-Up

Malkan Solutions then translated those findings into a structured Corrective and Preventive Action (CAPA) program:

• Created CAPA records for each significant finding, with:

  • Defined owners (either internal or vendor)

  • Due dates and milestones

  • Objective acceptance criteria

• Designed simple tracking dashboards so the client’s teams could monitor CAPA status at a glance

• Supported technical discussions with vendors to define practical remediation steps, tailored to:

  • The vendor’s size and resourcing

  • The risk level of the application and data involved

This shifted vendor cybersecurity from “point-in-time audit reports” to ongoing, measurable improvement across a very diverse vendor base.

5. Documentation and Audit-Ready Evidence

To ensure the program would stand up under scrutiny from customers, auditors, and regulators, we:

• Updated and/or created:

  • Supplier management procedures

  • Cybersecurity evaluation work instructions

  • Evidence logs for supplier assessments and CAPA closure

• Aligned documentation with the client’s existing QMS and information security management structures, so the new process fit naturally into their governance system.

The result: when auditors asked “How do you manage cybersecurity risk in your software supply chain?” the client could answer with a clear process, metrics, and documented evidence—not ad-hoc explanations.

Results: A Stronger Cybersecurity Posture Without Blowing the Budget

Within the agreed timeline and budget, the client achieved:

• Centralized visibility into software suppliers and their cybersecurity posture

• Standardized, repeatable evaluations aligned to SOC 2 and medical device cybersecurity expectations, flexible enough for both small and large vendors

• Documented CAPA closures for key findings, reducing both regulatory and business risk

• Improved audit readiness, with clear evidence trails for supplier due diligence and remediation

• A sustainable process, owned by internal teams and supported by practical tools and templates—not dependent on ongoing heavy consulting support

Most importantly, the organization gained a deeper, practical understanding of where its real cybersecurity risks were in the software supply chain and how to manage them systematically, even across vendors with very different levels of cybersecurity and medical device knowledge.

Why This Matters for Medical Device and Robotic Surgery Companies

As medical device and robotic surgery systems become more software-driven and more connected, the cybersecurity posture of third-party software vendors is a direct extension of the device manufacturer’s own risk profile.

Large organizations often have:

• Sophisticated internal security teams

• Complex QMS and regulatory obligations

• Dozens or hundreds of critical software suppliers of very different sizes and maturity levels

Without a structured, well-governed approach to vendor cybersecurity that can adapt to this diversity, even strong organizations can be exposed.

Malkan Solutions combines:

• Deep understanding of medical device and healthcare regulatory realities

• Hands-on SOC 2 and cybersecurity experience

• Practical, “surgical” execution—turning intent into concrete plans, CAPAs, and completed work, all within realistic budget constraints.

This case study shows that with the right approach, even a large, distributed organization can bring order, visibility, and control to its software vendor cybersecurity landscape—without slowing innovation or over-burdening internal teams, regardless of whether the vendor is a 10-person specialist or a global technology giant.

#MedicalDeviceCybersecurity #MedTechSecurity #RoboticSurgery #HealthcareCybersecurity #SOC2 #SOC2Compliance #VendorRiskManagement #ThirdPartyRisk #SoftwareSupplyChain #CybersecurityCompliance #FDACybersecurity #MalkanSolutions #MicrosoftSecurity #AzureSecurity #SecurityByDesign #GapAnalysis #CAPA #InfoSec #HealthTech #DataProtection