Episode 40 · July 8, 2025 · 33m listen · 4,614 words · ~23 min read
Total Product Lifecycle Security: From Design to Disposal | Ep. 27 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 40 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of The Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa delve into the critical but often overlooked concepts of Total Product Lifecycle (TPLC) security and the Secure Product Development Framework (SPDF). They begin by defining these terms, explaining that TPLC encompasses the entire lifespan of a product, from the initial concept phase all the way through to its final decommissioning. The SPDF, which is closely related to the Secure Software Development Lifecycle (SSDLC), is presented as an essential component of the TPLC. It provides a structured approach to ensure security is integrated into every stage of the product's ongoing development, rather than being treated as an afterthought or a final checklist item before release. The hosts argue that neglecting these frameworks is a primary reason why many software products, especially in the medical device field, end up with significant security vulnerabilities.
The discussion further explores the nuanced relationship between these frameworks. Trevor clarifies that the SPDF and SSDLC are subsets of the broader TPLC philosophy. While TPLC demands a holistic view of security from cradle to grave, the SPDF/SSDLC focuses on the cyclical, iterative process of development, including code reviews, static testing, and verification at each step. Christian provides compelling real-world examples to illustrate the dangers of ignoring the full lifecycle. He recounts instances where decommissioned medical devices and even classified government printers were sold online with unencrypted hard drives, exposing sensitive data like Protected Health Information (PHI) or classified documents. This highlights the vital importance of the decommissioning phase, a part of the lifecycle that manufacturers frequently forget.
The hosts also address the considerable challenges, particularly for startups, in implementing these comprehensive security measures. They acknowledge that creating a robust SPDF and adhering to the TPLC is expensive, time-consuming, and may not add immediate, tangible value in the eyes of a company focused on getting a product to market. This often leads to security being pushed to the back burner. However, they stress that this is a shortsighted approach, as the value of security becomes painfully apparent only after a breach occurs or when regulatory scrutiny begins. The conversation also touches on securing the development environment itself, the risks associated with third-party contractors, insecure update mechanisms (like using a public kiosk to manage updates), and the simple human errors that can undermine even the most sophisticated systems.
Key takeaways from this episode
Total Product Lifecycle (TPLC) security covers a product from its initial concept all the way through to its final decommissioning, ensuring security is considered at every stage.
The Secure Product Development Framework (SPDF) and Secure Software Development Lifecycle (SSDLC) are critical components of TPLC, focusing on integrating security into the ongoing, iterative development process.
Neglecting a full-lifecycle approach to security is a major reason why software and medical devices are often released with vulnerabilities.
The decommissioning phase is a crucial but frequently overlooked part of the TPLC; insecure disposal of devices can lead to major data breaches.
Security must extend beyond the product's code to include the development environment, update mechanisms, supply chain, and physical security of developer equipment.
Startups and smaller companies often struggle to implement comprehensive secure development practices due to high costs, time constraints, and a focus on speed to market.
While secure processes are essential, human error remains a significant vulnerability, reinforcing the need for continuous checks, multiple reviews, and strict adherence to security protocols.
Regulatory compliance and market access increasingly depend on demonstrating a robust, end-to-end security posture, making TPLC a necessity rather than an option.
Full episode transcript
Page 1 of 6· Paragraphs 1 - 24
Trevor: Hello and welcome back to the Med Device Cyber podcast. We're joined here by your co-host Christian Espinosa. And today we're going to be talking about total product life cycle security and developing a secure software development life cycle. How are you doing today, Christian?
Christian: I'm doing good. This is one of my favorite topics. It's something that is uh the TPLC or the SPDF uh is something that's commonly neglected and it's often why software ends up unsecure or insecure in my opinion.
Christian: But yeah, I'm doing pretty good. I did put on some, not enough, it wasn't SPDF. It's uh, what what do you call that? The S, the sunscreen. I had I put some of that on the other day. I went to the beach.
Trevor: What?
Christian: SPF.
Trevor: SPF.
Christian: Yeah.
Trevor: There you go.
Christian: So I still got a little bit sunburned. Um but yeah, I'm stuck uh stuck in Florida for a couple of days. Uh worst place to be stuck I guess, but uh, you know, travel delays going through Dallas. I figured I'd rather be stuck here than Dallas. So that's what's going on with me.
Trevor: Seems like there's a delay anytime you fly through Dallas. I think they're just not used to weather at all there. So if the wind shifts the wrong direction, they shut down the airport.
Christian: Yeah, so maybe I'll avoid Dallas next time. But yeah.
Christian: There you go.
Christian: So, let's go back to TPLC and SPDF. Um, SPDF. What what, are those like the same or are they really different? What do you think?
Trevor: So, TPLC and SPDF, I think that um, the SP, the Secure Product Development Framework is part of the Total Product Life cycle.
Trevor: So when we're looking at total product life cycle, total is kind of the key word there, it goes from the concept phase all the way to decommissioning whenever you're done supporting the product. So it needs to cover everything.
Trevor: The secure product development framework, product development is an ongoing effort. It's not a one-and-done situation. It keeps going throughout the life of the product. So, it's a framework that ensures you are managing security at every step of the way. You aren't missing any big considerations. Um, you're designing it with security at the front of mind, you're performing regular code checks going through the design process and you aren't leaving security to just a time block at the end.
Trevor: Um, that, I think the synonymous part is the SSDLC, the Secure Software Development Life Cycle, which goes into that cyclical process. So you're making a change to it, you're reviewing the change, you're implementing the change, you're testing the change, and then you go in again, you're making another change.
Trevor: All of that needs to have security at the front of mind. There are a lot of processes, a lot of tools, lots that goes into a secure software development life cycle.
Christian: So the SPDF, the secure product development framework is really synonymous with an SSDLC, a secure software development life cycle. Would you say that?
Trevor: Just about, yeah, they're pretty similar. And then all of that ties into the total product life cycle. So it's a component of, you know, the full, the full product.
Trevor: Obviously, the development is the main part of the product. You have an initial device, you keep making tweaks and changes, you keep developing it, you keep changing it. And so that's what we're looking at with the total product life cycle and that's what we're looking at with the secure product development framework.
Christian: Yeah, and I think the total product life cycle is something that needs more emphasis and I think that's why it's a requirement now. I know in the past, I've worked with a medical device manufacturer that had the assumption, which is a true assumption, that the device would be in a secure uh room in a hospital.
Christian: But what they did not consider is when the device is decommissioned and the hospital no longer wants it, what were they going to do with the device? And these devices did not have encrypted hard drives. So the hospitals were getting rid of these devices, people were able to purchase them off of eBay and other sources and grab all the PHI off the hard drive. So they totally kind of forgot about that whole decommissioning and the security involved with that.
Christian: And this even applied, like back in the day when I worked for the government, the DOD, they would get rid of like printers, and these, some of the printers were classified printers, and they would just sell them to whoever wanted to buy them. And a lot of these printers had hard drives on them with classified documents. So I I think it's extremely important to think about from, like you said, concept to decommissioning the security in that entire process because it's often forgotten about once the product is sold.