Since November 2017, Mayo Clinic includes CENSUS in the list of recommended External Assessors for conducting vulnerability assessments to medical devices prior to purchase and installation at the Clinic's environment. Mayo Clinic provides device vendors the option of either having a device assessed by the internal Clinical Information Security team or through an External Assessor following a specific process.
According to Mayo Clinic's supplier policy:
"Prior to the purchase and installation of medical devices in Mayo Clinic's environment, an evaluation is performed to assess the risk and understand appropriate mitigation, to ensure that products will function to ensure cyberattacks do not pose a threat to patient safety or security."
In the "Medical Device Vendor Instructions" document, and specifically the "Vulnerability Assessment Book.pdf" sub-document (local copy available here), Mayo Clinic states that:
"It is understood that one particularly difficult and vital point [...] is the engagement of excellent professionals with all the necessary capabilities. Assessors with this specific combination of skills and that have the level of experience and creativity to simulate the capabilities of the most advanced threats are known to be hard to find. For this reason, it is hereby provided a list of consultancy firms that Clinical Information Security understands as possessing the desired skillset for this kind of vulnerability assessment."
CENSUS offers threat modeling, device assessment and consulting services to device vendors worldwide, so that they may meet regulatory (e.g. FDA) or other market requirements. Assessment services may be offered as standalone services or as part of the Secure SDLC offering that enables vendors to ship timely product releases meeting high security standards.