Effective Date: Nov 25, 2025
Product: Geniant Cranial
Component: OpenSSL 1.1.1u / 3.1.0

1. Overview

Koh Young Technology is issuing this Cybersecurity Software Component End-of-Support (EoS) Notification to inform all customers and partners that specific versions of the OpenSSL library—used within the Geniant Cranial product for secure communication—have officially reached End-of-Support (EoS) status as declared by the OpenSSL Project:

• OpenSSL 1.1.1u – End of Support: September 11, 2023
• OpenSSL 3.1.0 – End of Support: March 14, 2025

These libraries are utilized by Geniant Cranial software to support TLS communication and digital certificate generation for secure PACS (Picture Archiving and Communication System) integration.

2. Affected Scope

• Product: Geniant Cranial
• Functionality: TLS encryption and certificate generation for PACS integration
• Impacted Components:
  • tls_client module (TLS handshake layer)
  • cert_generator module (certificate issuance: CA-based or self-signed)
    
    
• Deployment Context:
  • Deployed within secure, hospital-managed internal networks
  • Systems are not designed to operate on or expose interfaces to public internet networks

While these elements continue to function as designed, upstream support and future patching for OpenSSL 1.1.1u and 3.1.0 have ended.

3. Risk Assessment

Based on Koh Young Technology’s internal cybersecurity risk assessment and continued monitoring of public vulnerability databases:

• Current exposure is assessed as low due to strict internal network segregation
• TLS functionality is confined to PACS-specific traffic within secured environments
• No active CVEs from the OpenSSL project or CISA KEV affecting these versions have been identified (as of July 2025)
• The long-term risk of exploitability is expected to increase as upstream maintenance has ceased

Residual Risk Level: Controlled
Although direct exposure is currently mitigated, Koh Young emphasizes the importance of proactive disclosure in compliance with FDA and international medical cybersecurity best practices.

4. Recommended Actions

At the time of this notice, Koh Young is actively reviewing and validating future software versions that will incorporate a long-term supported OpenSSL release. The official release plan will be shared in a future bulletin.
We recommend customers:

• Confirm that deployed Geniant Cranial systems are operating only within internal hospital networks — without external or public internet exposure
• Use short-term validity certificates (e.g., valid for 1 year) when issuing self-signed certificates
• Maintain network firewall isolation between PACS interfaces and broader digital infrastructure
• Perform routine cybersecurity reviews of device perimeter configurations

5. Koh Young Support & Next Steps

• Koh Young will continue to provide best-effort technical support to address OpenSSL-related questions in Geniant Cranial systems until an updated version is made available
• Koh Young cannot guarantee the release of any patches for OpenSSL 1.1.1u or 3.1.0 under the current codebase
• Upon release of a validated, upgraded version, related SBOM files and installation guidance will be provided

6. Contact

For technical assistance, upgrade planning, or security communications:

• Email: productsecurity@kohyoung.com
• Phone: +1-858-500-5670
• Security Portal: https://kohyoung.com/en/about-pss/

7. References

• OpenSSL End-of-Life and Support Policy: https://www.openssl.org/policies/releasestrat.html
• U.S. FDA Final Guidance on Cybersecurity in Medical Devices (June 2025)
• IEC 81001-5-1:2022 – Health Software and Health IT – Security Activities in the Product Lifecycle
• NIST SP 800-218 – Secure Software Development Framework (SSDF)