Skip to main content
    All Episodes
    Episode 027 · July 1, 2025 · 36m listen

    Why Cybersecurity and Quality Are One and the Same | Ep. 26

    Ash Garuli
    Principal & Founder
    Ingenious Solutions

    Episode Summary

    This episode of The Med Device Cyber Podcast features Ash Garuli, principal and founder of Ingenious Solutions, discussing the critical intersection of cybersecurity and quality management in medical device development. Together with host Trevor Slatterie, Ash tackles common regulatory pitfalls and the evolving landscape of medical device cybersecurity regulations. The conversation emphasizes that a robust Quality Management System (QMS) inherently encompasses cybersecurity, highlighting how a diligent QMS, even prior to stringent FDA guidance, would have addressed most current cybersecurity requirements. They delve into the specific challenges posed by software components in medical devices, particularly with emerging technologies like AI/ML, and the misconception that cybersecurity is a mere checklist activity rather than an integral aspect of product safety and effectiveness. The discussion also covers the nuances of FDA guidance, including the distinction between "cyber devices" and the evolving understanding of risk assessment, moving beyond probabilistic scoring to exploitability factors. Ultimately, this episode underscores the shared responsibility of manufacturers, end-users, and even patients in maintaining medical device cybersecurity, advocating for a "shift left" approach to integrate quality and security early in the product development lifecycle.

    Key Takeaways

    • 01A robust Quality Management System (QMS) in medical device development should inherently integrate cybersecurity, treating them as inseparable components rather than distinct problems.
    • 02Early identification of regulatory requirements, business models, and product design is crucial for establishing an effective cybersecurity management system that meets specific market needs and compliance standards.
    • 03The medical device industry must foster a culture of quality and cybersecurity across the entire team, recognizing that a cybersecurity failure can directly lead to patient harm and delayed healthcare services.
    • 04Risk management in medical device cybersecurity should move beyond probabilistic scoring to focus on exploitability factors, such as the complexity of an attack, required access levels, and impact on patient safety.
    • 05Manufacturers must provide artifacts like SBOMs and comprehensive labeling to enable end-users and healthcare systems to adequately manage and respond to cybersecurity vulnerabilities, fostering a shared responsibility for medical device security.
    • 06Integrating cybersecurity and quality assurance early in the product development process reduces rework, lowers costs, and positions products competitively by making security a differentiating advantage.

    Frequently Asked Questions

    Quick answers drawn from this episode.

    • This episode of The Med Device Cyber Podcast features Ash Garuli, principal and founder of Ingenious Solutions, discussing the critical intersection of cybersecurity and quality management in medical device development.

    • A robust Quality Management System (QMS) in medical device development should inherently integrate cybersecurity, treating them as inseparable components rather than distinct problems. Early identification of regulatory requirements, business models, and product design is crucial for establishing an effective cybersecurity management system that meets...

    • This episode covers SBOM Management. It's part of The Med Device Cyber Podcast, hosted by Blue Goat Cyber, focused on practical medical device cybersecurity guidance for MedTech teams.

    • The conversation emphasizes that a robust Quality Management System (QMS) inherently encompasses cybersecurity, highlighting how a diligent QMS, even prior to stringent FDA guidance, would have addressed most current cybersecurity requirements. It's most useful for medical device manufacturers, cybersecurity engineers, regulatory...

    • A robust Quality Management System (QMS) in medical device development should inherently integrate cybersecurity, treating them as inseparable components rather than distinct problems.

    Listeners also asked

    Quick answers pulled from related episodes.

    Share this episode

    Pre-fills with: "A robust Quality Management System (QMS) in medical device development should inherently integrate cybersecurity, treating them as inseparable components rather than distinct problems."

    Hello there and welcome back to another episode of The Med Device Cyber Podcast. I am your host, Trevor Slatterie. Unfortunately, our co-host Christian Espinosa is not able to make it on this one; he's tied up with some flight delays. Today, we're going to be talking about some regulatory strategies, ensuring that we're getting quality systems put into place early and effectively in medical products. Some of the common regulatory pitfalls that we see a lot of manufacturers face and, of course, how these regulations are going to apply to emerging technologies, namely AI and machine learning. I'm joined here by Ash from Ingenious Solutions. How are you doing today? Doing well. Thanks for having me on, Trevor. Perfect. Well, I'd love to hear a little bit about what you guys do over at Ingenious Solutions and, of course, a little bit about yourself as well. Yeah, and you know, the two stories obviously intertwine. My name is Ash Garuli; I'm the principal and founder of Ingenious Solutions, and I have a long history of working on medical device software. I belong to a niche group of people that understand regulatory requirements and software requirements intimately because I've kind of dabbled in different roles in the software development lifecycle. I've had roles coding, testing, product managing, and then most of my career ended up being in quality management systems and regulatory affairs. All of that led me to the creation of Ingenious Solutions, which is a boutique consulting firm focused on medical device software development. So what we do is we help early to mid-size companies with quality management system or early regulatory strategy consulting for medical device software. Got it. So you're ensuring that they're essentially getting their ducks in a row as far as their quality system, making sure that they're identifying any of the regulatory approaches that they'll need to take, of course, the regulations that they adhere to, and kind of helping them along that path. 100%, exactly. You see, the requirements around software are basically very different from hardware. However, a lot of the regulations are old frameworks from the prehistoric old software firmware days. So it is a whole art and its own specialty to try to have a very streamlined approach to software quality management systems. So that's what I specialize in. Definitely. Yeah, there's obviously a ton of complexity in software, and as the medical device landscape is evolving, pretty much everything has a software component now. Everything's connecting to the internet in one way or another. So when we're introducing that software component, we're introducing a little bit of risk as well, and that's where it can tie into the cybersecurity side of things. Often times, I feel like they are portrayed as separate problems. You have your software issues, you have your cybersecurity issues, but they're very closely related. In my mind, cybersecurity is essentially evidence of quality software. If you have secure software, you have good software. So ensuring that you're building out your software with these considerations in mind is important, but it can be a little bit difficult. The guidance documents are complicated; there are however many standards floating around that manufacturers have to try to adhere to. So I'm sure there's a lot involved with getting that QMS set up properly. Well, 100%. I think the idea that quality management system and cybersecurity are two different entities is flawed at its core and actually results in a lot of overhead. When you think about what a quality management system is about, 1345 was based on 9001. At the end of the day, the stated objective of a quality management system is to meet customer requirements. When you look at the FDA regulations, they talk about safety and effectiveness, and cybersecurity fits throughout all that. Essentially, if you were actually being diligent long before the FDA got very stringent on cybersecurity, came out with all the guidances, and all the detailed requirements, if you were being diligent enough in terms of meeting your customer requirements, safety, and effectiveness requirements in your QMS, you would have already done almost all of the things that the FDA is asking you to do on the cybersecurity front. So I really see the two as one and the same. I definitely agree. Yeah. And the whole point, you know, the standards that we're adhering to under FDA guidance, these aren't very new standards. The FDA guidance, of course, came out in September of 2023, which is still fairly recent, but everything that it's based upon, you know, ISO 62304 and then I81,0001-5-1, these aren't new; these are older than the FDA pre-market guidance. UL 2900 is another example of that. So manufacturers that had been adhering to these were already going to be compliant. I think one issue with cybersecurity, though, is it's never going to be the priority. It's essentially, you know, an unfortunate thing that manufacturers and companies have to deal with. Nobody wants to deal with cybersecurity; it doesn't add value to the product; it simply costs. But of course, you know, that's a flawed mindset of thinking because if you have a product and you don't implement cybersecurity and something goes wrong with it, then you're going to be liable to a lot more than you would have been just dealing with cybersecurity in the first place. But it comes back to your original point: if you had been adhering to these guidelines before, you'd already be fine with what the FDA is expecting. But now the FDA is just actually mandating that you adhere to these guidelines. Yeah. And you know, maybe

    Hosted by

    Explore every episode in the topics covered here.

    More from your hosts

    Other episodes diving into Christian and Trevor's areas of focus.

    Episodes covering similar ground - including SBOM.

    Why this matches shares the SBOM topic and covers similar themes around misconception, inherently, activity.

    Why this matches shares the SBOM topic and covers similar themes around same, specific, posed.

    Why this matches shares the SBOM topic and covers similar themes around enable, sboms, posed.

    Listen to this episode