Navigating the Regulatory Landscape of Medical Device Cybersecurity | Ep. 3

In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa, founder and CEO of Blue Goat Cyber, and his colleague Trevor delve into the critical and often overlooked aspects of cybersecurity within the medical device industry. They begin by categorizing medical device manufacturers into two primary groups: agile startups, often backed by venture capital, and large, established corporations. A central argument made is that many companies, particularly startups, frequently make the critical mistake of deferring cybersecurity considerations until the end of the product development lifecycle. This reactive approach, termed "bolting on security," occurs when teams scramble to meet regulatory requirements just before submitting their device for approval. The hosts contrast this inefficient method with the proactive "security by design" philosophy, which advocates for integrating security measures from the initial concept phase. They emphasize that neglecting security early on inevitably leads to significant delays, costly remediation, and potential rejection by regulatory bodies, posing a serious risk to product launch timelines and financial stability. The discussion then transitions to the complex regulatory landscape that governs medical devices, focusing primarily on the U.S. Food and Drug Administration (FDA) framework. The hosts demystify the FDA's risk-based classification system, which categorizes devices into Class 1 (low risk, e.g., bandages), Class 2 (moderate risk, e.g., powered wheelchairs), and Class 3 (high risk, e.g., implantable defibrillators). This classification directly determines the rigor of the required pre-market submission pathway, whether it's a 510(k) for devices similar to existing products, a De Novo for novel low-to-moderate risk devices, or the exhaustive Premarket Approval (PMA) for high-risk, life-sustaining devices. They stress that although FDA guidance is often phrased as a recommendation, it functions as a de facto requirement, and failing to adhere to its detailed documentation and security standards is a common reason for submission failures. To illustrate the tangible risks of inadequate security, the hosts provide a real-world example from their experience testing a Class 2 acne treatment laser. They explain the concept of "vulnerability chaining," where an attacker combines several minor flaws to achieve a major compromise. In this case, vulnerabilities included unprotected physical ports on a supposedly air-gapped device, kiosk software that could be crashed to access the underlying operating system, and applications running with excessive administrative privileges. By chaining these exploits, they gained full remote control, enabling them to alter the laser's intensity and disable its cooling mechanism—a dangerous modification that could cause severe burns to a patient. This powerful example underscores the necessity of a holistic security approach that addresses not only network and software vulnerabilities but also physical interfaces, ensuring patient safety and successful regulatory approval.

Host: Welcome back. Today we're going to be looking at some of the categories of medical devices and medical device manufacturers as well as some of the regulatory bodies that govern these devices and go through the submission approval process. Here today with Christian Espinosa, the founder and CEO of Blue Goat Cyber. Guest: Awesome. How you doing today Trevor? Host: Doing pretty well. How are you doing? Guest: You know, I've my head has my these two fingers have been kind of numb. I went shooting for like an hour and a half the day. I don't know if it's from shooting handguns so long or what but it's making typing very challenging for me. You ever had that problem from shooting? Host: Yeah, yeah, I, no, I get that problem once in a while. I mean, normally, I shoot kind of the racing guns, the 22 caliber, so I don't get too much, but, uh, whenever I go out for the bigger calipers or go out on big rifles, I kind of get that same issue. Guest: Okay. I thought maybe something was happening to my hands here. Yeah, I'm looking forward to our episode today. We're going to talk about some important topics with, uh, the regulatory landscape. Regulatory affairs can be kind of boring, so hopefully we can cover this in a non boring manner. And, uh, one of the things with medical device manufacturers, I feel they fall into two main categories, at least the clients that deal with us, there's two main categories. There's the startups and then there's the large companies. It seems like we rarely get somebody in the middle. I mean, maybe a few, but it's mainly the startups and large companies. And a lot of the startups are VC or venture capital funded. And what happens is they kind of forget about cybersecurity until the very end and the whoever their regulatory affairs person is says hey, we got to do the cybersecurity stuff. And the product has already been developed. So then they contact us and at this point we have to like retroactively fix a bunch of things or bolt on some security which isn't the ideal way to do this. And this happens with large companies too. Um, what do you think the ideal way to handle the security of this Trevor? Should it be like they they they start reading the FDA guidance and all of a sudden they realize when they're about to like submit their packet to the FDA that they forgot about it? Or should they do it like way earlier in the process? Host: In a perfect world, as soon as they have the idea for the device they should be accounting for security. Now like you said that's rarely actually the case but in an ideal situation you're able to account for security early and often. Pretty much any aspect of a device can be compromised in some way or another. Bad guys are unfortunately pretty crafty. So it can be easy for devices where security is an afterthought to get compromised in hundreds of different ways. That's why it's something that should be addressed at the very beginning. Um, now like you said that doesn't always happen. So's part of striking the balance is figuring out how can you address security once it's we're already down to the right side of the development process. I can't count how many times we have, you know, a potential client come to us and say, Hey, we need security considerations done for this medical device. We say, Great, when are you planning to submit? And they say, Oh, about three weeks from now. Go, Whoa, that's, that's a tight timeline. And, you know, that takes in all the documentation, penetration, testing, remediation, re-testing. It is not typically a three-week process. Guest: We can turn our part around the initial round of testing typically in three weeks, but it's gonna take them quite a while to fix all the stuff we identify, right? Host: Oh yeah, yeah, the initial round of testing. I mean, depending on how many hands you throw on the project, you can get through that pretty quickly but I guess it's a matter of how, how much you find from testing typically to see how long remediation cycle is. We have a lot of times where you don't find too much on testing. You give someone almost clean bill of health, they make a couple of tweaks and then they have a finished product the next day. Other times you absolutely eat them alive, you find you know, dozens of critical findings just tear apart a device and then, you know, suddenly, it's a Guest: doesn't sound very pleasant. Eat them alive and tear apart the device. Is that how you're describing the work? Host: Yeah, it's well, the bad guys aren't necessarily being pleasant about it either. They're taking a device and they're trying to do bad things to them. We're taking the white hat approach, we're looking for the device, we're trying to protect it, but when we're finding a lot of findings, it's not a good situation and unfortunately security is often seen as a necessarily a necessary evil. Um something that people have to do, just have to worry about for compliance and that might not, that might be because they don't necessarily see the impact. But finding a lot of findings on a pen test is going to result in a pretty big turnaround time for remediation. So it's why we want to see it earlier ideally. Guest: Yeah and this can cause significant impact to the two categories I mentioned, if you're VC funded, you're a startup and you've only got so much capital and you forgot to to get funding for the cyber security component and the rework involved with it. You know that could cause some some challenges. And the same thing if you're a large company and you've told all your shareholders that you're going to release this product, you know on September 4th and then you come to us on August 19th and say we need the cybersecurity done, it's probably going to be delayed. So that could really impact your public image and a lot of other things. So in a, in general, the best cybersecurity principle is to to have the requirements and design cybersecurity in the product rather than bolt it on later. So I, I agree with Trevor, like the sooner you can get involved with cybersecurity, like as soon as you have the idea, start be thinking about it, the better. And with regulations, there's a few main regulatory bodies. There's quite a few actually. There's like, if you look at the globe is a there's one for pretty much every region of the of the world. But the main ones we deal with are the FDA, the Food and Drug Administration. A lot of people don't even know that the FDA has guidance and regulatory authority over medical devices. Most people just think it's pharmaceuticals or uh our food supply. Uh the FDA is in the United States and then we have the EUDR, the European Union medical device regulation which handles most of Europe. Those are the two probably the two biggest regulatory authorities and the medical device or med tech uh space. and today I think we'll focus a little bit more on the FDA since that's primarily what we deal with. So the FDA has quite a bit of regulations that came out with new guidance in September. It's relatively new, it's almost a year old now, but new guidance in September 2023 that really changed the landscape with medical device manufacturers and cyber security. As a result of those changes a lot of submissions. Uh a submission is when a device manufacturer tries to get their device approved so they can market it and sell it on the market. A lot of those submissions got rejected with deficiencies because the manufacturer did not understand all the cyber security requirements that the FDA now has. So before we dive into like some of those requirements, just talk a little bit about the types of pre-market submissions. So in medical device cyber security and medical devices in general, there's two categories, there's pre-market and post market. Pre-market means your device is not on the market yet and you need it to be approved by the regulatory body which in this case we're talking about the FDA. So you have to submit this whole package as often through this this online system called E-star and in that package is all the cyber security documentation, all the penetration testing reports and you have to prove the FDA that your device has acceptable risk in terms of patient harm or patient safety. And then there's postmarket. So postmarket means once your device is approved, it has to, you have to, it's not, it's not like one and done. You're proven, you have to, you can forget about cyber security. You have to then monitor that device and show you have a plan to make sure once your device is sold in the market that you monitor the device and you could respond to incidents, you can remotely update if necessary, or you have a plan to update the device in case there's a new vulnerability discovered. So those are the two main aspects that the FDA requires and the EU MDR require. And then maybe Trevor you can explain a few of the different pre-market. I think we should actually talk about the classifications first before we go into like different types of pre-market uh submissions. What do you think? Host: Yeah, I think, I agree. So as far as the FDA goes there are three classifications of devices. It's class one, two and three. Uh, we see class one as a low risk device and that is subject to general concerns. Um, an example of a class one device would just be a bandage or maybe a scalpel. Uh, these are things where we don't have to be applying the same considerations to maybe another device. Class two Guest: there's no, there's no cyber security risk with a scalpel, right? It's an instrument. Host: Yeah, that's correct. Often times cyber security risks sort of will introduce higher level of risk. I think a good example of a cyber device would be an oxygen pump, uh, for supplemental oxygen. Not for emergency use, not for, um, any sort of life sustaining activities, but like in supplemental therapeutic oxygen applicator, that would be considered a class one device where there's not necessarily any huge risk to the device and compromise isn't going to be harmful to the patient. Class two is a little bit higher level of risk. Uh an example of that could be a a wheelchair for an example. If a wheelchair has a computer component and that can be compromised, so let's say you're able to Yeah yeah. Yeah. Yeah. Yeah. a powdered wheelchair not a manual wheelchair. Host: Yeah, just any wheelchair with computer component or just an equivalent device. If you can compromise that wheelchair, someone hacks into it and they're able to crank the speed up or, you know, cause it to randomly just break in the middle of moving that How fast could they crank the speed up on a wheelchair you think? Host: Honestly that's a pretty good question. I mean I'm thinking for reference, like one of those electric go-karts, those things can go about 60 miles an hour. So I bet if you really got into, really were able to modify the firmware of a wheelchair, you can make it go pretty fast. Guest: I'm sitting here looking at the lake and there's a trail here and I see people go by a wheelchair every now and then. I imagine I guess if you could speed that thing up and you could run someone off into the lake. they might drown. Host: Yeah, that's what we talking about it, you know. Yeah. Well now you got me thinking, how fast can you race a wheelchair? I don't know. Host: Well, you know, regardless, there's still definitely a level of threat there. Um, a class three device is the ultimate level of harm. That's like a surgical robot where a compromise the device is effectively can lead to patient death. Uh that's the most stringent controls, most stringent considerations and there's a lot of concern around there. Anytime there can be a massive breach of patient data. So let's say medical records, widespread medical records get leaked or patient death, severe injury, um, like with a medical robot, someone can get someone can get killed pretty easily or someone can become disabled from a result of mis-treatment with a surgical device. So there can be a lot of real risk with a class three device. Guest: Yeah, and that's like an implantable defib device is a class three as well, high risk, like you said. Host: Right. Guest: So that device is compromised, you could um kill somebody. I remember we were we were dealing with a client recently and it's kind of interesting, we look at the risk, we always look at risk matrices and they had, they wanted the highest risk in there to be severe. And I was like, well, and somebody could die as a result of hacking this device. And they wanted catastrophic take it off there and severe put in there. And I'm like, it's pretty catastrophic if somebody dies, isn't it? They're like, no, we think that's severe. I just thought that whole conversation was so bizarre. you know, I'm like, if I die, it's kind of catastrophic, maybe not for me because I won't know, I won't be around anymore but maybe for my family they be like, man that was that was oh that was severe. It wasn't that big a deal, you know? Host: Yeah, I'm picturing you know, someone gets like misdiagnosed or dies as a result. Someone says, was that a catastrophe? No, no, that wasn't a catastrophe. It was a big deal but it wasn't a catastrophe. Guest: Yeah so class three I think we're dealing with you know catastrophic results if the worst case scenario happens. Host: Yeah. Yeah and I think severe would more fall under that class two category. That's, you know, it can cause you harm um it cause you significant harm, but that's nothing that you won't recover from. That's not permanent harm or leading to permanent disability. Um it could cause, you know, temporary harm, temporary discomfort, things of that nature. Guest: Yeah, I think in some situations with class two, some extreme situations like that powered wheelchair you mentioned, you know, if if you could hack it in a way where you can drive it super fast into a lake or into a a busy street, you know, that might uh be a far right use case or something, but you know, that's that's pretty risky as well. Maybe not maybe not the same as shocking someone's heart to death, you know, with a like the big Chinese scenario. Host: Yeah. Guest: So, what are the uh, some of the pre-market submission types? So we talked about the classes and I think these tie into the type of submission. And to me it's very confusing. There's like this thing called 510K, a PMA, a Denovo, it's all these like crazy terms. And I used to be when I first got in medical devices, I I would get a 510K confused with a 401K. You know it's very similar. I'm like, you know 401K is the investing instrument, right? 510K is uh something different. So can you explain maybe like the what a 510K is and Novo? Host: Well the first thing is the naming convention is is pretty poorly thought out. I cannot understand why they would have such a wide range. They have an acronym for one and then they're like doing Latin for another and then they're doing numbers for one, it doesn't make any sense. But with a 510k, that's going to be a device that has a substantial equivalent. So essentially that's nothing new to the market. That would be a device that is already out there. We can go back to the wheelchair example. Electronic wheelchairs have been around for a while and so if a manufacturer is going to create a new electronic wheelchair, there are equivalent devices already out in the field. So that would be anything that is falling under the 510k category. Now, PMA and De Novo are a little bit different. These are going to be novel devices where there isn't an equivalent already out there. Guest: What does PMA stand for? Host: Isn't that pre-market approval? Host: That is pre-market approval Yeah. Guest: Which is confusing in itself because they're all they're all technically pre-market submission types. Host: Yeah, which just adds to kind of the additional layer. But with a premarket approval, that is going to be something that is a very high risk device. That's going to be the class three devices will fall under the PMA category. And the anovo is going to be the class one and two. So these are new technologies that the maximum impact is not going to be extremely severe. Guest: Yeah, Denovo in Latin doesn't that mean like from the beginning? Host: Yeah. That means these are new novel devices that there's no nothing on the market. No substantial uh equivalent device out there. Is that right? Host: Yep, that's correct. Guest: Okay. Cool. And out of the like the FDA versus the EU MDR and some of the other regulatory bodies out there, which one do you think is the most stringent? I kind of think it's the FDA. Would you agree with that? Host: I think the FDA as far as the entire cyber security package altogether. Uh, especially after the latest guidance as of September of 2023, the requirements as far documentation and security considerations are very extensive for the FDA. Surprisingly, I think for the actual testing side of things, the Korean PMDA has the strictest requirements. Um, their testing documentation requirements are very very comprehensive far more so than even the. Guest: the actual testing for them is the act is the documentation they want submitted, right? Then the way they want it's Yeah. Host: What they want to see in a penetration test report is covers a lot more ground than typically we see in other regulatory bodies. Uh, the FDA has strict requirements on what needs to be done for testing. They like to see that we're following uh the TIR 57 medical device testing framework which covers very comprehensively how it needs to be done as far as test plans, test cases, test reports. but the Korean PMDA, they really get into the weeds on the details of the content, the formatting of test reports. They leave no stone unturned there, while the FDA is a little bit more forgiving in that area, but with the documentation side of things, I would 100% agree that the FDA sort of puts you under the microscope a little bit more than anyone else. Guest: So the Korean, the Korean um government body is a little more regimented, you would say than the FDA. And that's I think that's one of the things that a lot of devices manufacturers find confusing. The FDA provides guidance but they don't say it's mandatory. They say you can't include this if you want, but it's it's optional. but then they make these arbitrary decisions like, well you really should have included this even though they didn't tell you explicitly what to include and how to include it. Uh so it's not as prescriptive I would say as maybe the Korean one. Is that is that a true assumption there? Host: Yep, that's definitely something with the FDA that a lot of people express frustration with. Uh, the guidance is exactly like you said, it's not very prescriptive. They're not saying you go into this document, you put these headers and you fill it out with this. There's even a table at the bottom of the latest FDA guidance document and it lists each of the sections in the table of contents and it says whether or not it's a requirement or not. Only three or four of the sections are actual requirements but we frequently see kickbacks where people include those three or four and then five more and the FDA comes back and says, well, you miss 10 of these. And the guidance didn't say it's a requirement and so people don't always think about it. But yeah, that's definitely an issue with the way they phrase things. They don't want to be prescripted with the guidance even though a we recommend is essentially do this or fail. Guest: Yeah, I know you spent some time in Korea. uh quite a bit of time in Korea. Would you say in general uh in Korean culture they're it's more prescriptive than in the United States? Host: I would say so I spent a lot of time kind of traveling all over Korea. Um sort of my hub was in Soul which had a very regimented, structured kind of it's a very serious place. Uh of course there are parts of it that are very very far from that, very fun, very relaxed, very loose, but Soul in general is a pretty regiment place and you can see it in just public attitude, you can see it in the way that business operates and then you can see it in the way that the PMDA requires their documentation to be submitted. Guest: It's all it's all tied together. Host: Yep. Guest: Interesting. So you're saying that the the September guidance and I agree that really change the game this FDA September 2023 guidance on up in the anti on cybersecurity for manufacturers. What are um I don't think a lot of people understand, we talked about these classes of devices and we worked on a device. Uh I know you worked on a personally Trevor. It was a class two device I believe. Uh and it was a a laser that uh did like acne treatment. Is that is that correct? That was a class two, right? Host: Yes, that was a class two device. Guest: Can you explain because I think a lot of people still don't understand like the importance of medical device cyber security like especially like a device like you go to a med spa and you're getting a laser thing done on your face to remove your acne like what are some of the concerns if you hack in that device? Can you maybe talk a little bit about the device we worked on? Host: So this is a really interesting device. It is like you said, it's an acne treatment laser. It's meant to sort of zap away any acne that you have on your face. and that has a little cooling attachment so that you aren't getting scarred and burned, which is a pretty big problem with most current acne treatments is they burn and then they leave scars and you can't go out in the sun for like a month after getting the treatment. And it's a pretty. Guest: So what I mean? so this this thing it burns you but cools you, so you're at the same time, so you're actually not getting burned, is what you're saying? Host: Yeah. And so they use a very high intensity like laser to essentially burn off the acne and then they try to cool it so that you're not getting scarring or any problem. and you don't have any skin inflammation. It's a really cool system. Now, this device was intended to be entirely air gapped. So they wanted it in an enclosed network, not connected to the internet, no way to get in or out. And we walk into, you know, the manufacturing environment into the lab, they show us the device and we open up the panel and I take a wireless adapter and I stick the wireless adapter. It's no longer air gapped. And so I'm able to get into it remotely. I'm able to get into it from my laptop, which is, you know, in another room, it could be in the same building, just tucked away in a corner and I'm able to control it pretty remotely. They, with just a chain of vulnerabilities, I was able to get pretty widespread access to just about anything on the device. Guest: Can you back up there? I hear I hear that term um chain vulnerability chaining. Uh what does that mean? Host: So that's when we're taking a couple of seemingly unrelated problems and sort of mapping them together to prove a greater impact. So in this case there are a few different issues. The first one was that I could just plug anything I wanted into the computer. It was it was running a Windows computer and I could do whatever I wanted. So I could plug a mouse into there, control it with a mouse, I could plug in a keyboard or I could plug in a wireless adapter and connect it to the internet. The second problem is it was running this software in sort of a sandbox kiosk so you can't really access the computer underneath. But you could force that software to crash and by putting in some bad input and then it would just bring you to the desktop of the computer. The third problem with that is it was running that software as the administrator which is the highest level of privilege, gives you access to anything on the machine. So by chaining all of that together, I was able to effectively remotely access the machine as an administrator and escalate my privileges to the system level which access the computer itself. So I was able to become any computer control, any anything I wanted I could modify, change, update, delete, including the short-term memory of the computer where it was storing configurations about the temperature for the laser, uh the cooling settings and I would be able to go in and change that memory to make the laser burn at a much higher temperature and completely shut off the cooling. So I could just effectively burn someone and that's it. There's no, you know, there's no cooling to try to make it better and that laser gets hot. Uh, you know, surgical lasers and acne lasers get really hot. You have to wear protective equipment around it for testing. You have to do it in a special controlled laser lab. Yeah, so reaching that is a pretty big deal. Guest: Wow, and those things are I think pretty common at like med spas and other places, aren't they? Host: Yeah, I mean, I'm pretty small town up here about 40,000 people and I can think of eight places with them around here. Guest: Oh, really? Okay. Host: Yeah. Guest: There's one across the street. I go there and get IV therapy sometimes. I I like to try to reverse my aging. So I'm like Benjamin But and go, I'm going backwards. I don't know if it's working or not, but I I get the IV therapy sometimes and NAD supplement um which really is really painful that it's supposedly makes you uh younger and repairs everything. I don't know if I ever tried that. Host: Yeah, have you seen that have you seen that one guy uh Brian Johnson who's like on a mission to reverse aging. Guest: Yeah. Host: Yeah. I I watch all of his sleep stuff and I try to stick with that and so now I'm going to bed at, you know, 9:00 p.m. every night waking up at 5:00 a.m. every day and just won't break through that. And so that's my way to try to stay young. Guest: Well, awesome. And that the company with that laser, uh, I think, I think the driving, the driver for them to test this stuff was some of the new FDA guidance. Isn't that correct? Host: That's correct. So they were making some changes to their device and they were going to be doing a new submission as a result of these changes. Um, the FDA requires that even if you have a previously accepted device and you're making a significant change in the functionality. So that can be a good example of that is if you're adding a new connectivity. If you are taking a previously sandbox air gap device and adding a network component, that would warrant a material change. Uh, that was the case with this device. They were adding some new functionality and they wanted to do a new submission. So this was pulled in because of the FDA requirements and they needed to find a good solution that ad hears to TIR 57 testing requirements, which are not industry standard for penetration testing. It's for medical device testing. So a lot of cyber security companies aren't as intimately familiar with the practices there. And they wanted to find a good solution and go through with the testing so they could get their device approved. Guest: Yeah, that's a good point. We've actually got a lot of um, we had a lot of companies come to us that had hired a normal, you know, quote normal penetration test testing firm to do their medical device penetration test and it resulted in a deficiency because the testing requirements are very different than traditional pin testing. I think that's what you said as well, right? Host: Yep, exactly. It builds on a lot more of sort of the initial phases. so with typical, like one of the most popular types of pen tests that you'll see is a PCI compliance test. So that's if you're taking in a payment system, you need to be, make sure that your system can't be hacked into. The requirements around that, you're going to get a penetration test report, you'll remediate the findings and then you get a letter of station stating that this has been ted. For a medical device following TIR 57, you need to have a full plan in place, you need to have the threat model exercise which the threat modeling is sort of the theoretical what could happen to the device. From that you're going to build out a test plan to try to exploit those threats. You need to build out test cases for each identified threat. Each test case needs to tie into the test plan, tie into identified interfaces. You need to provide a report that references any test cases used and adheres to the plan that you map out ahead of time. So it's a pretty involved process and and that's just the initial planning before you get into testing, before you get into remediation, before you get into validation, it goes quite a ways down and it's not something that is standard, you know. It it doesn't apply to every industry. It doesn't apply to every system. So not many people learn about kind of the intricacies there. Guest: Yeah. Plus you've got plus you've got all the physical interfaces which I think as you said earlier, not a lot of um it may have been a different episode, not a lot of pen testers know how to hack into physical interfaces. Host: Yeah, it's not very common to hack physical devices. Um I know I think that was last episode we were talking about that. I had just gotten back from Black Hat and there I could count on one hand how many times we had seen a talk about a physical interface or seen a tool that related to it. Typically everything is in the network, in the cloud, AI security, API security and you don't see very much about hardware hacking or communications like Bluetooth, Wi-Fi. It's not very common. People inherently assume that they're secure, even though that's far from the case. And it's there can be some pretty disastrous effects from just putting a random hardware interface and not properly securing it. Guest: Yeah, I agree. I think one of the this this episode's kind of focused on the regulatory landscape. I think one of the key takeaways is that company with the laser uh would probably not have even had it tested by us if it wasn't for the new FDA guidance. So there is I'm someone that's has mixed feelings about regulations and having to fall the rules. Um but in this case, these regulations are actually helping make devices that could have been out there in the market that insecure, make them secure. Would you agree with that? Host: Definitely. And that's entirely where the original guidance came from is there's been a massive increasing trend every year in cyber security and cyber security related incidents and more and more medical devices are getting targeted, medical sector is responsible for a pretty large percentage of data breaches and cyber security attacks. So the FDA stepped in, they updated their guidance and they are trying to push this increased effort to make sure that the medical device landscape is a little bit of a safer place. Guest: Sounds like these regulations which often don't result in a progress, these are actually resulted in progress for medical devices which, you know, one of my passions is helping our advances in health care stay as advances and if devices are compromised, these advances may be rolled back. So it's important we secure these devices and I'm happy to see these regulations are actually helping secure the devices versus be a hindrance. Host: Yep, 100%. Guest: Yeah, so hopefully you took away some nuggets from this episode. Uh, in the next podcast episode, we're going to talk about how we can build some of these secure medical devices and some of the technologies that are required to make sure these devices are designed and built securely rather than you know the stuff bolted on later on. because I ideally want to design security into the device. I hope to see you there.