Total Product Lifecycle Security: From Design to Disposal | Ep. 27 - Full Transcript | The Med Device Cyber Podcast

Hello and welcome back to the Med Device Cyber Podcast. We are joined here by your co-host Christian Espinosa, and today we are going to be talking about Total Product Lifecycle Security and developing a secure software development life cycle. How are you doing today, Christian? I am doing good. This is one of my favorite topics. It is something that the TPLC, or the SPDF, is something that is commonly neglected and is often why software ends up unsecure or insecure in my opinion. But I am doing pretty good. I did put on some, not enough, it wasn't SPDF, it's uh, what do you call that? The S, the sunscreen. I had I put some of that on the other day at the beach, you know, SPF. SPF. Yeah, there you go. So, I still got a little bit sunburned. Um, but yeah, I'm stuck, uh, stuck in Florida for a couple days. Uh, worst place to be stuck, I guess. But, uh, you know, travel delays going through Dallas. I figured I would rather be stuck here than Dallas. So, yeah, that is what is going on with me. It seems like there is a delay anytime you fly through Dallas. I think they are just not used to weather at all there. So, if the wind shifts the wrong direction, they shut down the airport. Yeah. So, maybe I will avoid Dallas next time. But there you go. So, let us go back to TPLC and SPDF. Um, SPDF, what are those like the same, or are they really different? What do you think? So, TPLC and SPDF, I think that the Secure Product Development Framework is part of the Total Product Lifecycle. So, when we are looking at Total Product Lifecycle, total is kind of the key word there. It goes from the concept phase all the way to decommissioning whenever you are done supporting the product. So, it needs to cover everything. The Secure Product Development Framework, product development is an ongoing effort. It is not a one-and-done situation. It keeps going throughout the life of the product. So, it is a framework that ensures you are managing security at every step of the way. You are not missing any big considerations. Um, you are designing it with security at the front of mind, you are performing regular code checks, going through the design process, and you are not leaving security to just a time block at the end. Um, that I think the synonymous part is the SSDLC, the Secure Software Development Life Cycle, which goes into that cyclical process. So, you are making a change to it, you are reviewing the change, you are implementing the change, you are testing the change, and then you go in again, you are making another change. All of that needs to have security at the front of mind. There are a lot of processes, a lot of tools, lots that goes into a Secure Software Development Life Cycle. So, the SPDF, the Secure Product Development Framework is really synonymous with an SSDLC, a Secure Software Development Life Cycle. Would you say that? Just about. Yeah, they are pretty similar. And then all of that ties into the Total Product Life Cycle. So, it is a component of, you know, the full, the full product. Obviously, the development is the main part of the product. You have an initial device. You keep making tweaks and changes. You keep developing it. You keep changing it. And so, that is what we are looking at with the Total Product Life Cycle. And that is what we are looking at with the Secure Product Development Framework. Yeah. And I think the Total Product Life Cycle is something that needs more emphasis. And I think that is why it is a requirement. Now, I know in the past I have worked with a medical device manufacturer that had the assumption, which is a true assumption, that the device would be in a secure room in a hospital. But what they did not consider is when the device is decommissioned and the hospital no longer wants it, what were they going to do with the device? And these devices did not have encrypted hard drives. So, the hospitals were getting rid of these devices. People were able to purchase them off of eBay and other sources and grab all the PHI off the hard drive. So, they totally kind of forgot about that whole decommissioning and the security involved with that. And this even applied like back in the day when I worked for the government, the DoD, they would get rid of like printers. And these some of the printers were classified printers and they would just sell them to whoever wanted to buy them. And a lot of these printers had hard drives on them with classified documents. So, I I think it is extremely important to think about from like you said, concept to decommissioning, the security in that entire process because it is often forgot about once the product is sold. And that is even like there there is postmarket management which is once it is sold, but there is also the decommission aspect and both of those need to be considered for the TPLC.