Episode 35 · March 4, 2025 · 33m listen · 3,647 words · ~18 min read
Postmarket Surveillance and Anomaly Detection for Medical Devices | Ep. 12 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 35 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of The Med Device Cyber Podcast, host Christian Espinosa, founder of Blue Goat Cyber, and Trevor Slattery, the company's CTO, delve into the critical topic of post-market cybersecurity management for medical devices. They distinguish this phase from pre-market activities, highlighting that cybersecurity is not a one-time approval-gate task but an ongoing lifecycle responsibility. The central challenge addressed is how manufacturers can ensure their devices remain secure after being deployed in clinical environments, and what processes are necessary to manage and remediate vulnerabilities that are discovered post-launch. The hosts introduce the core components of a robust post-market management plan, framing it as an essential practice for maintaining patient safety and device integrity in a constantly evolving threat landscape.
The discussion outlines several key requirements and practices for effective post-market surveillance. A primary focus is placed on the necessity of a Coordinated Vulnerability Disclosure (CVD) program, which provides a structured and legal channel for security researchers and users to report potential flaws. This allows manufacturers to address issues responsibly before they can be widely exploited. Another essential pillar is the management of a Software Bill of Materials (SBOM), a detailed inventory of all software components, including third-party and open-source libraries. The hosts argue that simply creating an SBOM is insufficient; it must be continuously monitored against vulnerability databases, such as CISA's Known Exploited Vulnerabilities (KEV) catalog, to proactively identify emerging risks. They also cover the importance of regular, scheduled security assessments like annual penetration testing and vulnerability scanning, emphasizing that new attack methods can render previously secure systems vulnerable over time.
Furthermore, Espinosa and Slattery explore the practical challenges of deploying security patches. They compare the benefits and risks of Over-the-Air (OTA) updates versus manual updates performed by field technicians. While OTA updates offer efficiency, the update mechanism itself can become an attack vector if not properly secured. Conversely, manual updates using physical media like USB drives introduce risks of infection and supply chain compromise. The conversation underscores the importance of a secure Total Product Lifecycle (TPLC) that accounts for these post-market realities. They conclude that a proactive, continuous, and multi-faceted approach, combining transparent reporting, diligent monitoring, regular testing, and secure update procedures, is non-negotiable for medical device manufacturers in the modern cybersecurity environment.
Key takeaways from this episode
Post-market cybersecurity management is a continuous process required throughout a medical device's entire lifecycle, extending long after its initial market approval.
Effective post-market management requires several key components, including a Coordinated Vulnerability Disclosure (CVD) program, active Software Bill of Materials (SBOM) management, and regular security testing.
A Software Bill of Materials (SBOM) is not a static document; it must be continuously monitored against new vulnerability data to identify risks in third-party software components.
Manufacturers must have a secure plan for deploying updates, whether through Over-the-Air (OTA) mechanisms or manual installs, as the update process itself can be a significant attack vector.
A Coordinated Vulnerability Disclosure (CVD) system is vital for establishing a safe, legal, and efficient channel for security researchers and the public to report vulnerabilities.
Regular, annual penetration testing is critical because the threat landscape, attack techniques, and knowledge of vulnerabilities are constantly evolving, even if the device's code hasn't changed.
Security through the supply chain is a post-market concern, particularly in how patches are delivered and how third-party components are monitored for new flaws.
Anomaly detection, or identifying strange behavior in device software, is an important part of identifying potential security issues that may or may not have been known during the pre-market phase.
Host: Hi, welcome back to the Med Device Cyber podcast. I'm your host Christian Espinosa. I'm here with Trevor Slattery. And today we're going to talk about post-market management and anomalies that we might find in a medical device.
Host: We talked about premarket before, but the challenge is, what happens after the device is on the market? How do we make sure it stays secure? And if a vulnerability is found, how does somebody, a manufacturer update that vulnerability? So this is a very critical topic.
Host: And before we dive into it, I just want to introduce myself a little bit. I'm Christian. I'm the founder of Blue Goat Cyber. I'll let Trevor introduce himself.
Trevor: Hi, I'm Trevor. I'm the CTO and director of MedTech security at Blue Goat Cyber. And uh...
Host: All right.
Trevor: Yeah, so how's your day going today, Christian?
Host: My day is packed. You know, I've got all these days. It's like block after block after block of stuff to do.
Host: I wanted to go karting today because I signed up for this endurance karting event. Um, and I want to get into like a 24-hour one. But uh I have, I just haven't had time. So my endurance is probably not that great.
Trevor: 24-hour, so 24 hours of nonstop karting.
Host: Yeah, you need a team, but yeah.
Trevor: Oh, okay.
Host: You you you you kart, you do a pit stop. You have to do pit stops to change the tires and yeah. I I I should probably start with like a, the one I'm going to do in this month is two and a half hours. Um, but I want to gradually work up to 24 hours.
Trevor: Yeah, that'd be that'd be a lot. I think about, you know, if I've been up for 12 hours and I'm driving, I'm already getting tired. If I'm up for 24 hours and I'm driving, I shouldn't be driving.
Host: Oh, that's that's a challenge, right?
Trevor: Yeah.
Host: All right. So we've been talking so far about pre-mar, in our previous episodes about pre-market, which is all the things we need to do for a medical device before it gets on the market. And now we're focused on post-market because once the device is on the market, we still have to be concerned about vulnerabilities because a new vulnerability might be discovered in Bluetooth and in a third-party library. Uh and how do we handle all that is is really the topic of today's discussion.
Host: So, and when we say pre-market, like I said, it's before the device on the market, post market is it's on the market. So a couple of the main areas for post-market, and I'll just go over these and then if I missed any, you can fill me in, fill it in Trevor, is what's called a coordinated vulnerability disclosure system. So that's one of the requirements for post-market.
Host: The software bill materials management is another requirement. So if a vulnerability pops up with a third-party library. Annual penetration testing at least once a year and vulnerability testing as well as static application security testing. And then one of the challenges I think with post-market is if a vulnerability is discovered, how does the manufacturer securely develop a patch for it and then deploy that patch?
Host: Because not every device, the patch can be deployed over the air or OTA, some people like to say. Sometimes it has to be deployed by a field technician that physically goes out there and plugs in a USB drive. And then what the scenario that always goes through my head is what if that USB drive is infected? Now you're just making the problem worse, right? So they have to have a total product life cycle that is very secure.
Host: Did I miss anything like the requirements? And we can dive deep a little bit deeper in each of them.
Trevor: Yeah, I think that's a great overview of everything. And of course, every device is going to have a little bit of a a different threat landscape and as a result, different post-market requirements. But in short, the main things that need to be covered is continued security through the supply chain, uh continued security through the public, which is where that vulnerability disclosure system comes into play and then finding a way to fix things in as they come up.
Trevor: So, an interesting area that I'd be curious to hear your thoughts on, and I know the FDA has been pushing away from this. They've been pushing away from devices that can't receive updates. Um, it's a bit of a double-edged sword as update functionality is a new attack vector. But if you're unable to update a device, it can be a very involved process to make changes. So I'm curious on your thoughts on how to manage devices that are unable to receive updates once they're out in the field.