Episode 23 · June 24, 2025 · 30m listen · 5,637 words · ~28 min read
Cybersecurity Labeling and MedTech Transparency | Ep. 25 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 23 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery delve into the concept of cybersecurity labeling for medical devices. They define labeling as the crucial information that manufacturers provide to users, such as healthcare delivery organizations (HDOs) and patients, regarding the security posture of a device. The primary goal of this practice is to foster transparency, enabling consumers to understand the inherent risks of using a product and the steps they can take to mitigate them. This transparency also serves as a mechanism to hold manufacturers accountable, incentivizing them to design more secure products from the start, a concept they refer to as 'security through transparency' versus the outdated 'security through obscurity'.
The hosts discuss the practical application of labeling through standardized documentation, highlighting two key forms: the MDS2 (Manufacturer Disclosure Statement for Medical Device Security) and the JSP2 (Joint Security Plan). The MDS2 is a comprehensive questionnaire that details a device's security capabilities, such as the types of encryption and authentication used. The JSP2, or more specifically its customer security documentation, focuses on providing users with best practices, configuration instructions, and other guidance to securely integrate and operate the device within their own environments, like a hospital network. They advocate for a hybrid approach that combines both forms to satisfy regulatory requirements and meet the stringent demands of healthcare organizations, which are often more rigorous than the FDA's baseline.
A significant portion of the discussion is dedicated to addressing common misconceptions and challenges. One major concern is that disclosing security details could make a device a target for hackers. The hosts counter this by arguing that a well-secured device should be able to withstand such scrutiny, and the act of disclosure itself drives better security design. Another challenge identified is the lack of detailed internal documentation within manufacturing organizations, sometimes referred to as 'vibe coding,' where developers build systems without rigorously documenting their design choices. This makes it difficult to accurately complete labeling forms later, forcing a retroactive and often challenging documentation process. They conclude that the level of detail and the context of the information are paramount, as the needs of a home-use patient differ significantly from those of a hospital IT administrator.
Key takeaways from this episode
Cybersecurity labeling is the act of providing transparent information to users about a medical device's security features, risks, and recommended best practices.
The primary purpose of labeling is to empower consumers (hospitals and patients) to make informed purchasing and usage decisions, while also holding manufacturers accountable for product security.
Standardized forms, such as the MDS2 and JSP2, are key tools for structuring and communicating this security information effectively.
Effective labeling promotes 'security through transparency,' countering the outdated and ineffective notion of 'security through obscurity.'
A common challenge for manufacturers is poor internal documentation from the development process, which makes accurately completing detailed labeling forms difficult.
The required level of detail for labeling varies depending on the audience, from simple guidance for end-users to detailed technical specifications for hospital IT staff.
Disclosing the use of outdated security measures (like old encryption) is necessary for transparency and effectively acts as a control by discouraging the purchase of insecure products.
While the FDA sets a minimum standard for labeling, healthcare organizations (HDOs) often have much stricter requirements that manufacturers must meet to sell their products.
Full episode transcript
Page 1 of 7· Paragraphs 1 - 15
Hi, welcome back to another episode of the Med Device Cyber Podcast. Today we're going to talking about a complex, but yet simple concept. It's called labeling. Specifically, we're talking about cyber security labeling. And we're going to hit some of the main points about labeling. What is it... is... some of the common misconceptions, how a manufacturer should be doing labeling.
We'll also hit at the MDS2, which is a common form people have questions about. So, that's the objective of today's podcast. I'm your host Christian Espinosa. I'm coming to you from Florida today, I got stuck here for a couple days, uh, so I've got a portable setup and I've got Trevor here. I don't know where Trevor is today, actually, where are you today Trevor? You got like these... those weird wooden background things.
Trevor: Yeah, I'm uh, in Arizona for today. Off to California tomorrow.
Christian: All right. Awesome. Cool, so... in... as far as a definition of labeling goes, what would you... or how would you describe labeling, Trevor?
Trevor: So, labeling is the information that a manufacturer or a MedTech innovator needs to portray to users and patients. Uh, this is essentially going to be under the cyber security context, what risk are they taking on by using the product? And how can they work to mitigate that risk? And then just as well generally, any information about the product from a cybersecurity or software perspective that would be helpful for users to know.
Christian: So this is in the act of transparency... because the FDA is pretty big on transparency. So we're trying to like make the risk transparent to somebody purchasing one of these medical devices. Is that a fair...
Trevor: Exactly. We're looking at, you know, you're gonna wanna know if you're buying a car if it tends to be in a lot of accidents because there are a lot of broken parts. You want to know if you're buying a phone. Like do you remember when the Samsung phones were exploding for a while?
Christian: Yes. I think it was just the iPhone versions though, what wasn't it or something?
Trevor: No, the Samsung Note something, the batteries would puff up and explode. Oh. So you'd want to know if you're buying a phone with one of those batteries. I... there might have been other phones but anyways. So you want to be aware of what's going on in the product that you buy. Uh, this is just an effort to try to portray that risk and it's also a way to keep manufacturers accountable.
So if they have to disclose any risk present in the system, they're obviously going to want that risk to be minimal otherwise they're likely not going to be purchased due to the fact that they impose a very high risk to the user or to the patient. So it's that twofold area of making sure that users and customers are well informed and they know what's going on in their product and keeping manufacturers accountable and making sure that they do their best to disclose minimal risk since they shouldn't have very much risk.
Christian: So it's really to help the consumer of the medical device, which is typically a healthcare delivery organization, make an informed decision. If they're comparing two different products and they have a specific risk appetite, they have a little more transparency into the risk associated from a cyber security lens with either device.
Trevor: Exactly. Um, good cyber security labeling is also going to contain instructions on best practices for use, integrating it into an existing hospital network, any optional configurations that may be security relevant and when you should use them. So good cyber security labeling is not only conveying potential problems but saying, here is a way to fix those problems. Here's how you make sure that you're setting up this product safely. So good cybersecurity labeling is going to cover all of these different areas.
Christian: Yeah, and what... what... how does the MDS2 fit into that labeling?
Trevor: It's a good idea to take a bit of a standardized approach when it comes to cybersecurity labeling and an MDS2 is part of that. So that stands for Manufacturer Disclosure Statement for Medical Device Security. And what that is essentially saying, it's a questionnaire. I think it's about 180 line items and it's different questions about the product.
Christian: It's just a civil document basically that a manufacturer has to fill out to disclose certain, like what type of encryption you have, what type of authentication you're using. So the same concept, it's a labeling to inform a consumer of the product or the medical device, like what the risks are and what protections are there as well.