Skip to main content
    Back to episode
    Episode 52 · December 23, 2025 · 22m listen · 413 words · ~2 min read

    Trevor Slattery Answers Tough Medical Device Cyber Questions | Ep. 51 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 52 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    In this rapid-fire episode of The Med Device Cyber Podcast, Trevor Slattery provides expert answers to critical questions in medical device cybersecurity, offering invaluable insights for product security teams, regulatory leads, and engineers. The discussion covers essential standards such as IEC 62304 for software lifecycle processes and safety classifications, and ISO 14971, which outlines risk management in medical devices, emphasizing patient safety. The podcast further explores how AAMI TR57 extends ISO 14971 to security risk management and introduces AAMI TR97 for postmarket activities, alongside ANSI/UL 81001-5-1 for a secure total product lifecycle approach. Slattery clarifies key concepts like Secure Product Development Frameworks (SPDF) and the Total Product Lifecycle (TPLC), from design to decommissioning. He also delves into practical testing methodologies like fuzz testing and differentiates between black-box and white-box penetration testing. Additionally, the episode addresses the nuances of DICOM for medical imaging, the FDA’s definition of a "cyber device," and the critical role of Software Bill of Materials (SBOMs), including "software of unknown provenance" (SOUP). This episode is a concise yet comprehensive guide to navigating the complexities of medical device cybersecurity.

    Key takeaways from this episode

    • IEC 62304 and ISO 14971 are foundational standards for medical device software development and patient safety risk management, respectively.
    • AAMI TR57 adapts the risk management framework of ISO 14971 for cybersecurity, while AAMI TR97 focuses on postmarket security activities.
    • A Secure Product Development Framework (SPDF) and a Total Product Lifecycle (TPLC) approach are crucial for integrating security from a medical device's design to its decommissioning.
    • SBOMs are essential for listing all software components in a medical device, including both third-party and proprietary code, without exposing source code.
    • The FDA defines a "cyber device" by the presence of validated software, network interfacing capabilities, and potential cybersecurity risk exposure.
    • Static Application Security Testing (SAST) analyzes code without execution, whereas Dynamic Application Security Testing (DAST) evaluates code during runtime.

    Topics covered in this transcript

    Full episode transcript

    Hi, welcome back to another episode of The Med Device Cyber Podcast. Today, we're going to switch it up a little bit. I'm going to put Trevor in the hot seat and do a rapid-fire to see if he actually is the brain box, as he's been called before. So, we'll put him to the test. I'm your host, Christian Espinoza, the founder and CEO of Blue Goat Cyber, here with Trevor, who is the brain box and the CTO of our company. He's coming from Northern California. I'm not sure if he's gained intelligence or lost intelligence from moving from Arizona to California, but I guess we'll figure it out. I definitely lost having to go to the DMV here, like 40 times. [laughter] It felt like it. I think it was actually about five times, which is five too many. The San Francisco DMV is a dark place. I don't like going to DMVs at all. I heard there are private places, though, you can pay a little extra to avoid the DMV. I couldn't find one near here, but I would always do that in Arizona. There was the footwork in Cottonwood. Alright. So, we're going to play a rapid fire. Trevor is super smart with medical device cybersecurity. So, I'm going to ask him some questions and see how he does answering. These are questions a lot of you probably think about periodically. Maybe not, but you probably wonder what IEC 62304 is and all this other stuff, so we'll get Trevor's answer. If he goofs it up too much, which I don't expect him to, then I'll fill in the gaps. IEC 62304 talks about safety classifications and secure development lifecycle practices within medical devices. So, it's a good framework for understanding what controls would be applicable based on scaling device risk. It uses the European classification Class A, B, and C, and talks about some of the specific implementations that may be applicable for a high-risk Class C device that may not be as applicable for a low-risk Class A device and then general best practices with software lifecycles within medical devices. Perfect. So if I am a medical device manufacturer and I'm trying to decide what sort of outsourced software development vendor or company I should choose, I should choose one that follows IEC 62304. Correct? Exactly. Awesome. We'll stick with the standards and we'll jump into ISO 14971. What is that? ISO 14971 is titled