Skip to main content
    All Episodes
    Episode 052 · December 23, 2025 · 22m listen

    Trevor Slattery Answers Tough Medical Device Cyber Questions | Ep. 51

    Episode Summary

    In this rapid-fire episode of The Med Device Cyber Podcast, Trevor Slattery provides expert answers to critical questions in medical device cybersecurity, offering invaluable insights for product security teams, regulatory leads, and engineers. The discussion covers essential standards such as IEC 62304 for software lifecycle processes and safety classifications, and ISO 14971, which outlines risk management in medical devices, emphasizing patient safety. The podcast further explores how AAMI TR57 extends ISO 14971 to security risk management and introduces AAMI TR97 for postmarket activities, alongside ANSI/UL 81001-5-1 for a secure total product lifecycle approach. Slattery clarifies key concepts like Secure Product Development Frameworks (SPDF) and the Total Product Lifecycle (TPLC), from design to decommissioning. He also delves into practical testing methodologies like fuzz testing and differentiates between black-box and white-box penetration testing. Additionally, the episode addresses the nuances of DICOM for medical imaging, the FDA’s definition of a "cyber device," and the critical role of Software Bill of Materials (SBOMs), including "software of unknown provenance" (SOUP). This episode is a concise yet comprehensive guide to navigating the complexities of medical device cybersecurity.

    Key Takeaways

    • 01IEC 62304 and ISO 14971 are foundational standards for medical device software development and patient safety risk management, respectively.
    • 02AAMI TR57 adapts the risk management framework of ISO 14971 for cybersecurity, while AAMI TR97 focuses on postmarket security activities.
    • 03A Secure Product Development Framework (SPDF) and a Total Product Lifecycle (TPLC) approach are crucial for integrating security from a medical device's design to its decommissioning.
    • 04SBOMs are essential for listing all software components in a medical device, including both third-party and proprietary code, without exposing source code.
    • 05The FDA defines a "cyber device" by the presence of validated software, network interfacing capabilities, and potential cybersecurity risk exposure.
    • 06Static Application Security Testing (SAST) analyzes code without execution, whereas Dynamic Application Security Testing (DAST) evaluates code during runtime.

    Frequently Asked Questions

    Quick answers drawn from this episode.

    • In this rapid-fire episode of The Med Device Cyber Podcast, Trevor Slattery provides expert answers to critical questions in medical device cybersecurity, offering invaluable insights for product security teams, regulatory leads, and engineers.

    • IEC 62304 and ISO 14971 are foundational standards for medical device software development and patient safety risk management, respectively. AAMI TR57 adapts the risk management framework of ISO 14971 for cybersecurity, while AAMI TR97 focuses on postmarket security activities. A Secure Product Development Framework (SPDF) and a Total Product Lifecycle...

    • This episode covers Penetration Testing and SBOM Management. It's part of The Med Device Cyber Podcast, hosted by Blue Goat Cyber, focused on practical medical device cybersecurity guidance for MedTech teams.

    • The podcast further explores how AAMI TR57 extends ISO 14971 to security risk management and introduces AAMI TR97 for postmarket activities, alongside ANSI/UL 81001-5-1 for a secure total product lifecycle approach. It's most useful for medical device manufacturers, cybersecurity engineers, regulatory affairs professionals, and MedTech...

    • IEC 62304 and ISO 14971 are foundational standards for medical device software development and patient safety risk management, respectively.

    Listeners also asked

    Quick answers pulled from related episodes.

    Share this episode

    Pre-fills with: "IEC 62304 and ISO 14971 are foundational standards for medical device software development and patient safety risk management, respectively."

    Hi, welcome back to another episode of The Med Device Cyber Podcast. Today, we're going to switch it up a little bit. I'm going to put Trevor in the hot seat and do a rapid-fire to see if he actually is the brain box, as he's been called before. So, we'll put him to the test. I'm your host, Christian Espinoza, the founder and CEO of Blue Goat Cyber, here with Trevor, who is the brain box and the CTO of our company. He's coming from Northern California. I'm not sure if he's gained intelligence or lost intelligence from moving from Arizona to California, but I guess we'll figure it out. I definitely lost having to go to the DMV here, like 40 times. [laughter] It felt like it. I think it was actually about five times, which is five too many. The San Francisco DMV is a dark place. I don't like going to DMVs at all. I heard there are private places, though, you can pay a little extra to avoid the DMV. I couldn't find one near here, but I would always do that in Arizona. There was the footwork in Cottonwood. Alright. So, we're going to play a rapid fire. Trevor is super smart with medical device cybersecurity. So, I'm going to ask him some questions and see how he does answering. These are questions a lot of you probably think about periodically. Maybe not, but you probably wonder what IEC 62304 is and all this other stuff, so we'll get Trevor's answer. If he goofs it up too much, which I don't expect him to, then I'll fill in the gaps. IEC 62304 talks about safety classifications and secure development lifecycle practices within medical devices. So, it's a good framework for understanding what controls would be applicable based on scaling device risk. It uses the European classification Class A, B, and C, and talks about some of the specific implementations that may be applicable for a high-risk Class C device that may not be as applicable for a low-risk Class A device and then general best practices with software lifecycles within medical devices. Perfect. So if I am a medical device manufacturer and I'm trying to decide what sort of outsourced software development vendor or company I should choose, I should choose one that follows IEC 62304. Correct? Exactly. Awesome. We'll stick with the standards and we'll jump into ISO 14971. What is that? ISO 14971 is titled

    Hosted by

    Explore every episode in the topics covered here.

    More from your hosts

    Other episodes diving into Christian and Trevor's areas of focus.

    Episodes covering similar ground - including Pen Testing, SBOM.

    Why this matches shares the SBOM topic and covers similar themes around tplc, decommissioning, spdf.

    Why this matches shares the Pen Testing and SBOM topics and covers similar themes around fuzz, code, white-box.

    Why this matches shares the SBOM topic and covers similar themes around provenance, code, soup.

    Why this matches shares the Pen Testing and SBOM topics and covers similar themes around 81001-5-1, framework, alongside.

    Listen to this episode