Skip to main content
    All Episodes
    Episode 013 · March 4, 2025 · 33m listen

    Postmarket Surveillance and Anomaly Detection for Medical Devices | Ep. 12

    Episode Summary

    This episode of The Med Device Cyber Podcast delves into the critical realm of postmarket surveillance for medical devices, addressing the ongoing need for security beyond pre-market approvals. Hosts Christian Espinosa and Trevor Slattery explore essential aspects of postmarket management, including coordinated vulnerability disclosure (CVD) systems, software Bill of Materials (SBOM) management, and continuous penetration testing. The discussion highlights the FDA's increasing emphasis on devices capable of receiving secure updates, contrasting with the challenges posed by legacy devices or those with inherently insecure update mechanisms. The hosts emphasize the importance of robust processes to handle newly discovered vulnerabilities, referencing real-world examples like the urgent need to address vulnerabilities in third-party libraries (e.g., Log4j, Shellshock, XC library). Furthermore, the episode clarifies misconceptions surrounding SBOMs, advocating for their transparency as a crucial tool for informed decision-making by consumers and for proactive risk management by manufacturers. This episode is a must-listen for product security teams, regulatory leads, and engineers navigating the complexities of medical device cybersecurity in the postmarket phase.

    Key Takeaways

    • 01Coordinated Vulnerability Disclosure (CVD) systems are crucial for responsibly managing vulnerabilities discovered by external researchers, fostering a safer ecosystem.
    • 02Maintaining an up-to-date Software Bill of Materials (SBOM) is critical for identifying and mitigating risks associated with third-party software components throughout a device's lifecycle.
    • 03The ability to securely deploy over-the-air (OTA) updates is increasingly important, but manufacturers must also plan for secure manual update processes for devices incapable of OTA updates.
    • 04Continuous penetration testing after market release is essential to adapt to evolving threat landscapes and new vulnerability discoveries.
    • 05Transparency regarding SBOMs empowers consumers to make informed decisions and aids manufacturers in proactive risk management, rather than serving as a blueprint for attackers.
    • 06Manufacturers must prioritize addressing vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) database due to their high risk of active exploitation.
    • 07Anomaly detection and evaluation are vital postmarket activities to identify unusual device behavior that may indicate a cyber security vulnerability.
    • 08Network segmentation is paramount to protect hospital networks from potentially insecure medical devices and to prevent lateral movement of threat actors.
    • 09The FDA is pushing for faster adoption of secure practices for medical device cybersecurity, acknowledging the urgent need for better security in a landscape where over 50% of devices had known critical vulnerabilities in 2023.

    Frequently Asked Questions

    Quick answers drawn from this episode.

    • This episode of The Med Device Cyber Podcast delves into the critical realm of postmarket surveillance for medical devices, addressing the ongoing need for security beyond pre-market approvals.

    • Coordinated Vulnerability Disclosure (CVD) systems are crucial for responsibly managing vulnerabilities discovered by external researchers, fostering a safer ecosystem. Maintaining an up-to-date Software Bill of Materials (SBOM) is critical for identifying and mitigating risks associated with third-party software components throughout a device's lifecycle....

    • This episode covers SBOM Management and Penetration Testing. It's part of The Med Device Cyber Podcast, hosted by Blue Goat Cyber, focused on practical medical device cybersecurity guidance for MedTech teams.

    • The discussion highlights the FDA's increasing emphasis on devices capable of receiving secure updates, contrasting with the challenges posed by legacy devices or those with inherently insecure update mechanisms. It's most useful for medical device manufacturers, cybersecurity engineers, regulatory affairs professionals, and MedTech...

    • Coordinated Vulnerability Disclosure (CVD) systems are crucial for responsibly managing vulnerabilities discovered by external researchers, fostering a safer ecosystem.

    Listeners also asked

    Quick answers pulled from related episodes.

    Share this episode

    Pre-fills with: "Coordinated Vulnerability Disclosure (CVD) systems are crucial for responsibly managing vulnerabilities discovered by external researchers, fostering a safer ecosystem."

    Hi, welcome back to The Med Device Cyber Podcast. I'm your host, Christian Espinosa. I'm here with Trevor Slattery, and today we're going to talk about postmarket management and anomalies that we might find in a medical device. We've talked about pre-market before, but the challenge is what happens after the device is on the market. How do we make sure it stays secure, and if a vulnerability is found, how does a manufacturer update that vulnerability? This is a very critical topic, and before we dive into it, I just want to introduce myself a little bit. I'm Christian, the founder of Blue Goat Cyber. I'll let Trevor introduce himself. Hi, I'm Trevor. I'm the CTO and Director of Medtech Security at Blue Goat Cyber. Right, so how's your day going today, Christian? My day is packed. You know, these days it's like block after block after block of stuff to do. I wanted to go karting today because I signed up for this endurance karting event, and I want to get into like a 24-hour one, but I just haven't had time. So my endurance is probably not that great. 24 hours of non-stop karting? You need a team. You cart; you do a pit stop; you have to do pit stops to change the tires. I should probably start with the one I'm doing this month, which is 2 and a half hours, but I want to gradually work up to 24 hours. That'd be a lot. I think about, you know, if I've been up for 12 hours and I'm driving, I'm already getting tired. If I'm up for 24 hours and I'm driving, I shouldn't be driving. Well, that's a challenge, right? Yeah. Alright, so we've been talking so far in our previous episodes about pre-market, which is all the things we need to do for a medical device before it gets on the market. And now we're focused on postmarket because once the device is on the market, we still have to be concerned about vulnerabilities. A new vulnerability might be discovered in Bluetooth or in a third-party library, and how do we handle all that is really the topic of today's discussion. When we say pre-market, like I said, it's before the device is on the market. Postmarket, it's on the market. So a couple of the main areas for postmarket, and I'll just go over these, and if I miss anything, you can fill me in, Trevor, is what's called a Coordinated Vulnerability Disclosure system. So that's one of the requirements for postmarket. The Software Bill of Materials management is another requirement. So if a vulnerability pops up with a third-party library, annual penetration testing, at least once a year, and vulnerability testing, as well as static application security testing. Then one of the challenges, I think, with postmarket is if a vulnerability is discovered, how does the manufacturer securely develop a patch for it and then deploy that patch? Because not every device can have the patch deployed over the air, or OTA, as some people like to say. Sometimes it has to be deployed by a field technician that physically goes out there and plugs in a USB drive. The scenario that always goes through my head is what if that USB drive is infected? Now you're just making the problem worse, right? So they have to have a total product lifecycle that is very secure. Did I miss anything like any of the requirements? And we can dive deeper into each of them. Yeah, I think that's a great overview of everything. And of course, every device is going to have a little bit of a different threat landscape, and as a result, different postmarket requirements. But in short, the main things that need to be covered is continued security through the supply chain, continued security through the public, which is where that vulnerability disclosure system comes into play, and then finding a way to fix things as they come up. So an interesting area that I'd be curious to hear your thoughts on, and I know the FDA has been pushing away from this, they've been pushing away from devices that can't receive updates. It's a bit of a double-edged sword, as update functionality is a new attack vector. But if you're unable to update a device, it can be a very involved process to make changes. So I'm curious on your thoughts on how to manage devices that are unable to receive updates once they're out in the field. Yeah, I've got quite a bit of experience with that. We've dealt with devices for, I've been doing this for a little over 10 years now, and devices that can't receive an OTA, or over-the-air update, are often times more secure because, like you alluded to, that pathway to allow remote updates can be exploited. And we've had clients instead not secure that pathway or that environment. So it opens up a can of worms, though, because you have to send somebody to the device, or you have to train the physician, the user of the device, the doctor, the nurse, whoever, on how to do the update and mail them a thumb drive or something. So it's important to have a mechanism in place if your device can't be updated over the air and make sure that mechanism is secure. So if I am to put something on a thumb drive, like a firmware update, and provide the instructions to a field technician, I have to make sure that that thumb drive is not compromised. And there's been lots of scenarios where people have bought thumb drives at trade shows. They've received them, and they've all had malicious code on them, right? So we have to have a way to ensure the security of our update process to fix the vulnerability because it is another pathway to introduce another vulnerability. It's like that one scene from Mr. Robot where the guy on the street is giving out USB drives with his mixtape on it and then compromises a bunch of people's computers. Are you a Mr. Robot fan? I personally didn't like the show that much, but I feel like I'm obligated as a penetration tester to watch it. I watched one episode because all the penetration testers kept talking about it so much. I felt like it was too mandatory to watch. So I only watched one episode, but maybe, maybe I'll go back and watch it because I felt left out of the conversations when they're all talking about Mr. Robot. I don't think it's worth watching, but anytime, anytime I introduce myself to someone, I say,

    Hosted by

    Explore every episode in the topics covered here.

    More from your hosts

    Other episodes diving into Christian and Trevor's areas of focus.

    Episodes covering similar ground - including SBOM, Pen Testing.

    Why this matches shares the SBOM topic and covers similar themes around exploitation, urgent, threat.

    Why this matches shares the SBOM and Pen Testing topics and covers similar themes around postmarket, known, bill.

    Why this matches shares the Pen Testing topic and covers similar themes around must-listen, legacy, continuous.

    Listen to this episode