Designing Secure Medical Device Software with Randy Horton | Ep. 45 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 25 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
This episode of The Med Device Cyber Podcast features Randy Horton of Orthogonal, a company specializing in software as a medical device (SaMD) development. The discussion emphasizes the critical need for integrating cybersecurity into the entire software development lifecycle—a "dev-sec-ops" approach—rather than treating it as a post-development add-on. Horton, along with hosts Christian and Trevor, advocates for viewing cybersecurity as an inherent aspect of quality software, arguing that well-built modern software fundamentally enhances medical device safety and effectiveness. The conversation highlights the stark contrast between the traditional, physically constrained engineering mindset of medical device development and the flexible, malleable nature of software. They address the challenges of shifting from a "move fast and break things" Silicon Valley mentality to the "move faster and break nothing" imperative of SaMD, where human lives are at stake. The episode also delves into the difficulties associated with implementing update mechanisms in medical devices, despite FDA guidance recommending this capability for in-field security patches. They underscore the importance of ongoing monitoring and patching, not just for regulatory compliance but as a competitive advantage for "born digital" medtech companies. The discussion touches on significant incidents, such as the UK NHS ransomware attack that resulted in fatalities, and the Illuminia case, which underscore the severe consequences of neglecting cybersecurity. The episode concludes by stressing that while progress is being made, the challenge is continuous, requiring increased awareness and a proactive, risk-based approach to secure software development.
Key takeaways from this episode
- Cybersecurity must be integrated into the software development lifecycle from the outset, adopting a "dev-sec-ops" approach rather than being an afterthought.
- Quality software inherently includes cybersecurity; a medical device that can be hacked and harm a patient is not a quality product.
- The traditional medical device engineering mindset, focused on physical constraints, struggles to adapt to the digital malleability of software, leading to cybersecurity challenges.
- Implementing robust update mechanisms in medical devices, as recommended by the FDA, is crucial for deploying security patches and receiving ongoing improvements, despite resistance from some manufacturers.
- Real-world incidents, such as ransomware attacks and legal actions against companies for cybersecurity failures, demonstrate the severe human and financial consequences of neglecting medical device cybersecurity.
- While regulatory compliance is a baseline, market competitiveness from "born digital" medtech companies will increasingly drive the adoption of secure and continuously updated software.
- Cybersecurity in medical devices is not merely a regulatory burden but a fundamental component of product quality that is essential for patient safety and organizational integrity.
- Embracing uncertainty and managing risk around the inherent digital flexibility of modern medical devices is crucial, rather than clinging to the outdated notion of fully locking down devices post-release.