Cybersecurity Qs MedTech Innovators Ask: Christian’s Hot Seat | Ep. 48

In this special episode of The Med Device Cyber Podcast, host Trevor Slattery puts his co-host and cybersecurity expert, Christian Espinosa, in the "hot seat." Deviating from their usual guest interview format, Trevor quizzes Christian on some of the most frequently asked questions from innovators and developers in the medical technology space. The episode serves as a rapid-fire Q&A session designed to demystify complex regulatory standards and common pitfalls encountered when bringing a new medical device to market, with a particular focus on cybersecurity. The discussion begins with a foundational topic: ISO 13485. Christian explains that this standard outlines the requirements for a Quality Management System (QMS) specific to the medical device industry. He details that a QMS is a comprehensive system that organizes all information related to a medical device's lifecycle, from its design history and manufacturing processes to its cybersecurity documentation. The core purpose of adhering to ISO 13485 is to establish full traceability and ensure that all processes are high-quality, repeatable, and secure. This system is crucial for managing risks and efficiently addressing any problems that may arise after the device is on the market. Trevor and Christian then explore the primary reasons for FDA device rejections, with Christian highlighting that, in the past year, insufficient or inadequate cybersecurity has become the leading cause. The conversation also clarifies the often-confused terminology of "Software as a Medical Device" (SaMD) versus "Software in a Medical Device" (SiMD). Christian defines SaMD as software that functions as a medical device entirely on its own, such as a cloud-based AI algorithm for image analysis. In contrast, SiMD is software that is an integral component of a physical medical device, like the operating software on a patient monitor. The final and perhaps most critical topic addressed is the distinction between HIPAA and FDA requirements. Christian emphatically states that HIPAA compliance is not a substitute for meeting the FDA's cybersecurity standards. He argues that the FDA is primarily concerned with patient safety— preventing physical harm from a device malfunction or hack—while HIPAA is focused on protecting the privacy and security of Protected Health Information (PHI). Using the stark example of a hacked defibrillator, he illustrates that the immediate threat to life (an FDA concern) is a different category of risk than the theft of personal data (a HIPAA concern), underscoring why both regulatory frameworks must be addressed separately.

Trevor: Hello and welcome back to another episode of The Med Device Cyber Podcast. This one's going to be a little bit different from our typical flow. We're putting Christian in the hot seat and running him through some of the questions that we see come up all the time as frequently asked questions with med-tech innovators and seeing, seeing how he does and seeing how well he knows all of these processes. So. Trevor: All right, well, we'll start off with a good one and a very important one. Could you give us a little description of what ISO 13485 is? Christian: ISO 13485 is the standard for a quality management system and how to set that up and what should be in that system and what the foundational components of that system are. And the whole idea is when you have a medical device, you need to have a QMS or some sort of system that has basically all the information about the medical device, the design history files, the cybersecurity documentation. And the whole idea is, is I have all this stuff organized in a very logical manner. So I have traceability for what, when the device is on the market, traceability for when it was designed, how it was built, how it was tested. I have that full visibility and traceability in the system. And then when a problem comes up with a device, I feed that into the quality management system and then we have the evidence of what we did to reconcile that problem and make sure the risk is an acceptable level, like if we had to mitigate the risk and how we did that and the history of that, or if we decided the risk is already at an acceptable level and we didn't need to take any action. Trevor: Excellent. Yep. Yeah, that's perfect way to put it. We're trying to make sure that we have quality, repeatable, and secure processes. It's often one of the bigger frustrations for working with healthcare and med-tech devices, um, just since it's a little bit unique to regulate the spaces for sure, but very important. Trevor: All right. Now, what is the most common reason that medical devices get rejected by the FDA? Christian: Lately, the most in the past year or so, the most common reason is cybersecurity, actually. Insufficient or inadequate cybersecurity, I should say. Trevor: Yep, exactly. Trevor: All right. Now, could you give us a little bit of a summary of the description between SaMD and SiMD products? Christian: Oh, my goodness. SaMD is software as a medical device. So this would be some sort of software that may sit on the cloud. It could be, uh, some sort of AI image enhancement, uh, tool that takes an ultrasound image, sends it up to the cloud, and this software component runs AI through it and does some image enhancement for something like a vascular disease. So the physician can look at the image and see the vascular portion much better than just through the ultrasound or an MRI. A SiMD is, uh, that's software in a medical device. And that is basically a medical device that has software. So this could be, uh, like a patient monitoring system that has software inside of it. Trevor: The software as a medical device is only software. So there's no hardware component with it. The software in the medical device... Christian: Oh, okay. So the patient monitoring system isn't a good example. It's it's the hardware in and the software running in that hardware. Trevor: Yep, exactly. Christian: Okay. So I was on the right track. Trevor: All right. Now here's a question that I actually got last night at dinner, believe it or not. But... Christian: You were at some Georgia, Khinkali or whatever dinner you went to. Trevor: This was at the Georgian Khinkali dinner. And I was talking with a startup innovator that has a new product that they're just about to gear up for their 510(k). And we were talking about what cybersecurity needs to go into it. And he asked, well, I have HIPAA compliance. Is that going to work for the FDA? I told him, no, it's not. So what are some of the differences between what HIPAA looks for and what the FDA looks for? Christian: There's some stark differences. Uh, the FDA is primarily concerned with patient safety, meaning if I can hack into this medical device, what harm can I cause to a patient? That is a primary lens the FDA is looking for. HIPAA in contrast is related to protected health information. It has nothing to do with patient safety. It's like is my charting about my diagnosis protected? Is my insurance, uh, protected that's in the hospital for my treatment? Uh, and those are two very different things. And I think this is a commonly misunderstood concept with med-tech cybersecurity. People often think it's about the data, which is HIPAA. The data is important, but it's secondary to patient safety. I like to give an analogy. If I've got a defibrillator and somebody has hacked into it remotely through MedRadio or whichever, uh, radio means, and they're shocking me to death, while at the same time somebody is stealing my health records, do I actually care that they're stealing my health records, or do I focus on being shocked to death? Trevor: Yeah, that's a an important triage decision to make. What, what should you deal with first? And I think hopefully most people come to the same answer on that. Christian: Right. I can recover from my protected health information or my HIPAA data being stolen, but I can't recover from death. Not yet. They may come up with a solution for that later on. Trevor: Yeah, well, that's going to be the real med-tech innovator that figures out how to reverse death. So we're waiting for that one to come by. All right. And then a little bit of a curveball on the same vein. What does HIPAA stand for? Christian: HIPAA is Health Information, no, Health Information Portable Accountability Act or something like that. Trevor: I always thought it was not health, yeah, portability and accountability. I thought it was health information privacy protection for the longest time, and so I had to actually double check on that. Christian: Portability, when you move from here to there and keep it protected is what I understand. Did I get the acronym right? Trevor: You did. Yeah. No, I I had the wrong answer on it, and I had to double check. Trevor: All right. So yeah, have one more question that I wanted to run through with you here. When we're looking at all of these different med-tech regulators and a lot of these medical device regulators, we often see that many of them come back with slightly different standards. Who typically has the most strict cybersecurity requirements and who can be thought of as kind of the industry leader in that space? Christian: A little bit of a trick question. Typically, I would say it's the FDA, uh, which basically borrows from the IMDRF but has elaborated on that quite a bit. And then I say typically because I know China has some stringent requirements as well. So I would, I would say between those two, but I, I think the FDA is more global-reaching than China, which is more specific to China. Trevor: Yep. Ironically, if you're FDA cleared, you can sell your device to the Hong Kong market, which is a special administrative region of China. And then once it's been adopted in the Hong Kong market, then it can be sold to the China market and bypass, uh, Chinese approval. Trevor: Yep which is especially it's a good strategy to take considering often times Chinese clearance for the NMPA requires a complete device overhaul as opposed to some minor documentation modifications, which may be the case say going from the US to South Korea. Uh, going directly from the US to China, you need to pretty much strip out all of your encryption, start over. Everything needs to be Chinese cyber law compliant in addition to NMPA compliant. Christian: That's right. Trevor: All right. Well, this was a little bit of a quick run through on a couple of the most frequently asked questions that we get from med-tech innovators. Uh, I want to see if you had any additional thoughts or closing comments, and then we'll go from there. Christian: Uh, I don't have any really additional thoughts. You took it kind of easy on me, especially compared to the the hot seat I put you through, but that's okay. Unless you have one more if you want. I think I have a little more time. Um, it can be on any topic. It doesn't have to be specific to med tech. Trevor: All right, on any topic not specific to med tech. Within reason. When was the last time Phoenix had snow? Christian: I think it was 1984. Trevor: I believe it is 1923. Christian: Oh, okay. I just made up 84, so I don't actually know. I've only been in Phoenix for like a couple of years. Trevor: It was 19... oh, never mind. It was 1990. Christian: Oh, it's close. Closer than you. Trevor: Yeah, a lot closer. I know, not sure where I was getting that one from. I know, uh, I spent a lot of time in Tucson when I was a kid and they would always get snow. And my grandparents live in Tucson and they would say, "You don't get that up in Phoenix." And so that was why we'd always go there instead. Christian: Yeah, well the good thing about Phoenix is you can drive an hour in pretty much any direction and, you know, be up in the mountains and it can be like 30 degrees cooler and sometimes snowing up there. Trevor: Yeah, anytime I'm in Phoenix, I feel like I drive an hour in any direction, I'm still in Phoenix. Christian: You don't drive fast enough. Trevor: I drive pretty fast in Phoenix. That city never ends. Christian: All right. Right. Maybe an hour and a half. Trevor: My favorite trick is to show people that have never been to Phoenix the time it takes on Google maps to get from East Phoenix to West Phoenix and show them that is going 65 miles an hour on the interstate. Christian: Oh, I know I was looking at, uh, getting back into skydiving, there's a drop zone here in Buckeye. I've never been here though, but from my place in Tempe to Buckeye, uh, and I'm kind of in the central Phoenix area, Buckeye is on the west side. It's like 45 to 50 minutes. Trevor: Yeah, it's it is a huge sprawling city. Christian: Yeah, it's growing quite a bit still. Trevor: Yeah. Yeah, it's still still one of the fastest growing cities. Phoenix, Austin, Nashville, pretty much everything in Florida. Christian: Well, thanks for the questions. I I think hopefully people found some value in the answers and these questions are pretty commonly asked questions actually, as Trevor mentioned. Uh, we get these questions quite often and, uh, because they're asked quite often, I feel like if we give the answers, then we can help raise the awareness in the industry, which is part of our mission at Blue Goat Cyber to raise the awareness about cybersecurity, uh, because it is becoming, like Trevor alluded to, or we answered, like one of the main reasons devices are getting rejected by the FDA and other regulatory bodies. So we want to help prevent that and do the best we can to make sure med-tech innovators are armed with the knowledge about cybersecurity and the knowledge we're providing is actually actionable and there can be some specific actions taken upon it to prevent their device from getting rejected or delayed to market. Trevor: Awesome. Well, thank you all for tuning in, and looking forward to seeing you the next time on The Med Device Cyber Podcast.