RankShieldMD
RANKSHIELDMD Request access
MEDICAL DEVICE & IoMT SECURITY

Contain the device
you can't patch.

A hospital runs on devices that outlive their patches. You can't fix all of them. So you contain them — and prove the risk that remains is acceptable.

Medical device and IoMT security is how you keep a connected clinical fleet safe when many of its devices cannot be patched. RankShieldMD gives each device a verifiable posture, wraps the unpatchable ones in compensating controls like segmentation, and seals the containment as evidence you can prove — feeding the residual-risk dossier your FDA obligations rest on.

compensating controlsPHI-freenon-device
RANKSHIELDMD LEDGER
LIVE · PHI-FREEsealed 0
01 // THE UNPATCHABLE DEVICE

Legacy on
the care network.

An imaging console runs an operating system its maker stopped patching years ago. An infusion pump can't take an update without re-validation. Building controls and lab analyzers sit on the same network as patient monitors. You can't rip them out and you can't always fix them — but each one is reachable. The security question stops being "how do we patch this?" and becomes "how do we make the flaw unreachable, and prove it?"

02 // COMPENSATING CONTROLS

Change what
can reach it.

The FDA recognizes compensating controls — safeguards applied in lieu of a manufacturer fix that bring the risk of patient harm to an acceptable level, explicitly including network segmentation. You don't remove the flaw; you isolate the device so only approved systems can reach it, and the flaw can no longer be exploited. RankShieldMD verifies that the intended segmentation is actually in force and seals it as evidence — so containment is proven, not just planned.

03 // THE RESIDUAL-RISK DOSSIER

Why the risk
is acceptable.

Containing a device is only half the job — you have to show the risk that remains is acceptable. RankShieldMD structures a residual-risk dossier against ISO 14971: for each hazard, the control applied, and the risk before and after that control. It assembles from live posture and containment state, so the dossier reflects what is actually in force — the artifact that turns "we segmented it" into a defensible record.

04 // POSTURE + CONTAINMENT

Every device,
a known state.

Each device carries a verifiable posture — patched, contained, or under review — and every change of state is sealed to the ledger. When a device can't be fixed, it moves to contained: held behind its segment, its exposure bounded, its residual risk documented. The state is externally anchored and post-quantum signed, so an auditor, an FDA reviewer, or your own CISO can verify the fleet's posture without trusting us.

05 // GET STARTED

Prove the fleet
is contained.

Register your fleet, define the controls for the devices you can't patch, and let RankShieldMD verify posture and seal containment as PHI-free evidence. Verifiable, ISO-14971-structured, non-device.

SCROLL TO DESCEND
WHAT IT IS

What is medical device (IoMT) security?

Medical device and IoMT security is the practice of keeping connected clinical and operational-technology devices safe when many of them cannot be patched — by giving each device a verifiable posture, containing the ones that cannot be fixed, and producing the evidence that the risk which remains is acceptable. A modern hospital runs on a sprawling fleet: infusion pumps, imaging consoles, patient monitors, lab analyzers, and the operational-technology systems — building controls, environmental sensors — that share the same care network. Many of these devices were certified years ago on software their manufacturers no longer patch, and many cannot take an update without clinical re-validation. Traditional security assumes you can fix what is broken; in a clinical fleet, that assumption fails constantly. The discipline therefore shifts from patching to containment: making a known flaw unreachable rather than eliminating it, and then documenting the residual risk honestly. Two principles govern how RankShieldMD does this, and we hold to both: contain, don't clinically touch — RankShieldMD sits beside the fleet and never alters how a device treats a patient — and prove without exposing, so verification of a device's containment never requires revealing protected health information. The result is a fleet where every device has a known, verifiable state, and every unpatchable device has a defensible reason it is safe to keep running.

How do you secure a medical device you can't patch?

You stop trying to fix the device and start changing what can reach it. When a manufacturer patch is unavailable, delayed, or unsafe to apply without re-validation, the flaw itself may be permanent — but its reachability is not. The established answer is to apply a compensating control: a safeguard that brings the risk of patient harm to an acceptable level in lieu of a fix. The most common one is network segmentation, isolating the vulnerable device onto a restricted zone so that only approved systems can communicate with it. A flaw that can only be triggered by an attacker who can reach the device becomes far less dangerous once nothing untrusted can reach it. RankShieldMD operationalizes this in three moves. First, it establishes each device's posture, so you know which devices are unpatched and reachable. Second, it verifies that the intended segmentation is actually in force for a given device — the gap between a segmentation plan on paper and segmentation working in reality is where breaches happen, and RankShieldMD closes it by confirming and sealing the live state. Third, it records the residual risk that remains after the control, so the containment is not just applied but justified. The device keeps running, its exposure is bounded, and there is verifiable evidence that the boundary holds. Containment becomes something you can prove to an auditor, not something you assert on a slide.

What is an FDA compensating control?

A compensating control is a safeguard applied in place of a manufacturer fix that brings the risk of patient harm to an acceptable level. The FDA explicitly recognizes compensating controls, and names safeguards such as network segmentation among them, precisely because the agency understands the clinical reality: many fielded devices cannot be patched on the timeline a vulnerability demands, and pulling them from service can itself endanger patients. A compensating control does not pretend the underlying flaw is gone. Instead, it makes the flaw unreachable or non-exploitable and then treats the risk that remains as a documented, accepted quantity rather than an unknown. Segmentation is the archetype: isolate the device so the vulnerable pathway can no longer be reached by anything untrusted, and the practical risk drops even though the code is unchanged. Other controls in the same family include tightened access, monitoring, and restricting the device's own outbound connectivity. The essential discipline is that a compensating control is only meaningful if it is actually in force and if the residual risk is written down. This is where RankShieldMD contributes: it verifies that the compensating control a hospital or manufacturer intended is genuinely operating for the specific device, and it seals that verification as tamper-evident evidence. The FDA recognizes the control; RankShieldMD makes its operation provable. We are careful to state that clearly — the recognition of compensating controls is the agency's, and our role is to make a given control verifiable, not to redefine what the FDA accepts.

What is a residual-risk dossier and what goes in it?

A residual-risk dossier is the record that shows, for each hazard a device presents, what control was applied and what risk remains after that control. It is the document that answers the only question that ultimately matters once a device cannot be patched: why is it acceptable to keep this device running? RankShieldMD structures the dossier against ISO 14971, the international standard for medical-device risk management, so it follows a shape reviewers already recognize: the identified hazard, the initial risk before any control, the compensating control applied — segmentation, for example — and the residual risk that remains once that control is in force. The before-and-after framing is the heart of it. A control that is claimed but not verified proves nothing; a residual risk that is asserted but not documented is not a risk assessment, it is a hope. RankShieldMD assembles the dossier from live posture and containment state rather than a static spreadsheet, so the record reflects what is actually true of the fleet at the time it is read, and every entry is backed by sealed, verifiable evidence that the stated control is genuinely operating. The dossier turns a scattered set of "we segmented that one" claims into a coherent, defensible artifact — the thing you hand to an auditor, an FDA reviewer, or your own risk committee to show that the fleet's residual risk has been identified, controlled, and accepted deliberately rather than by default.

How does this support FDA §524B postmarket obligations?

Section 524B reframed medical-device cybersecurity as an ongoing, postmarket responsibility rather than a one-time hurdle cleared at launch. A device is not "secure" the day it ships and forever after; the obligation is continuous, covering vulnerability monitoring, disclosure, and the ability to keep a fielded device reasonably safe as new threats emerge over its service life. That continuous framing is exactly where an unpatchable-but-contained fleet lives, and it is where RankShieldMD's evidence is designed to help. Device posture tracked over time gives you the monitoring record §524B expects. Containment state for the devices that cannot be patched shows how each residual exposure is being managed rather than ignored. Residual-risk dossiers, structured against ISO 14971, give you the risk-management documentation that a postmarket program rests on. Together these produce the ongoing, verifiable trail that demonstrates a device fleet is being watched and managed after clearance, not just at it. We are deliberately precise about the boundary of that claim. RankShieldMD supports §524B obligations by producing the integrity and containment evidence those obligations rely on; it is not itself an FDA clearance, it makes no legal determination that any organization is compliant, and it never makes a medical claim about a device. Compliance is your organization's overall posture and process. What RankShieldMD adds is the layer that makes your postmarket security posture provable — verifiable evidence, externally anchored and post-quantum signed, that supports the specific requirements §524B sets, without ever touching a device's clinical function or a patient's data.

HONEST BY DESIGN

What we are careful never to claim.

We didn't invent containment

Segmentation, compensating controls, and ISO 14971 risk management are established practice, and the FDA's recognition of compensating controls is public guidance. RankShieldMD ships the verifiable implementation — not the invention of the concepts.

It supports, it doesn't certify

It produces evidence that supports §524B and risk-management obligations. It is not an FDA clearance, it makes no legal compliance determination, and it never makes a medical claim.

It never sees PHI

It works with device posture and containment metadata and seals digests. Raw patient data is rejected at the guard. The ledger is useless to anyone who steals it — there's no protected data inside.

Answer engine

Ask RankShieldMD about medical device security.

What is medical device (IoMT) security?

It is the practice of keeping connected clinical and operational-technology devices — infusion pumps, imaging systems, patient monitors, lab analyzers, building controls on the care network — safe when many of them cannot be patched. RankShieldMD gives each device a verifiable posture, contains the ones that cannot be fixed, and produces the evidence a hospital or manufacturer needs to show the residual risk is acceptable.

How do you secure a device you cannot patch?

You do not fix the device; you change what can reach it. When a manufacturer patch is unavailable or unsafe to apply, you wrap the device in compensating controls — most often network segmentation that limits what can talk to it — so an unpatched flaw can no longer be reached and exploited. RankShieldMD makes that containment verifiable and produces the evidence that the residual risk of patient harm has been brought to an acceptable level.

What is an FDA compensating control?

A compensating control is a safeguard applied in lieu of a manufacturer fix that brings the risk of patient harm to an acceptable level. The FDA explicitly recognizes safeguards such as network segmentation as compensating controls. They do not remove the underlying flaw; they make it unreachable or non-exploitable, and the residual risk is documented rather than assumed away.

Is network segmentation a recognized compensating control?

Yes. Segmentation — isolating a vulnerable device onto a restricted network zone so only approved systems can reach it — is one of the safeguards the FDA names when a device cannot be patched. RankShieldMD verifies that the intended segmentation is actually in force for a given device and seals that state as evidence, so the control is proven rather than merely planned.

What is a residual-risk dossier?

It is the record that shows, for each hazard a device presents, what control was applied and what risk remains after that control. RankShieldMD structures it against ISO 14971, the medical-device risk-management standard: hazard, the compensating control, and the risk before and after the control. It is the artifact that turns "we segmented it" into "here is why the residual risk is acceptable."

What goes into a residual-risk dossier?

For each device or hazard: the identified hazard, the initial risk, the compensating control applied (for example segmentation), verifiable evidence that the control is in force, and the residual risk after the control — all framed in the ISO 14971 hazard-control-risk structure. RankShieldMD assembles this from live posture and containment state so the dossier reflects reality, not a point-in-time spreadsheet.

How does this support FDA §524B postmarket obligations?

Section 524B makes cybersecurity a postmarket responsibility, not just a launch checkbox. The evidence RankShieldMD produces — device posture over time, containment state for unpatchable devices, and residual-risk dossiers — feeds the ongoing monitoring and vulnerability-management duties §524B expects. It supports those obligations; it is not itself a clearance or a legal determination.

Does RankShieldMD make our devices FDA compliant?

No software does. Compliance is your organization’s overall posture and process. RankShieldMD produces verifiable evidence that supports specific obligations — compensating-control containment, residual-risk documentation, postmarket monitoring — but it never makes a device compliant on its own, and we never claim it does.

Is RankShieldMD itself a medical device?

No. It is security and evidence tooling that sits beside the clinical fleet, not inside any device’s clinical function. It observes posture, verifies containment, and seals evidence; it never renders a diagnosis, drives therapy, or alters how a device treats a patient. That boundary keeps it non-device and keeps clinical function with the devices built for it.

Does it see protected health information?

No. It is PHI-free by construction. It works with device posture and containment metadata and seals digests to the ledger; raw patient data is rejected at the guard and never enters the record. Adopting it shrinks your PHI footprint rather than growing it.

How is the containment evidence trustworthy?

Every posture and containment record is sealed to an externally-anchored, post-quantum-signed transparency log. Anyone holding the evidence package can recompute the hash chain and confirm the signed root with standard tools — without access to your systems and without trusting RankShieldMD. Containment becomes provable, not just asserted.

Did RankShieldMD invent verifiable device containment?

No. Segmentation, compensating controls, and ISO 14971 risk management are established practice, and the FDA’s recognition of compensating controls is public guidance. RankShieldMD ships the commercial, externally-anchored, post-quantum implementation that makes the containment and its residual-risk record verifiable. We never claim we invented the concepts.

What does it take to adopt?

Register the fleet you care about, define the intended segmentation and controls for devices that cannot be patched, and let RankShieldMD verify posture and seal containment state as PHI-free evidence. You get residual-risk dossiers with a verify recipe your auditors or the FDA can run. It runs on the same RankShieldMD fabric as decision provenance and PHI-free audit — one verifiable platform, not a bolt-on.

Turn "we segmented it" into "here is the proof."

Register your fleet, contain what you can't patch, and hand your auditor a residual-risk dossier they can verify.