Episode 62 · July 1, 2025 · 36m listen · 6,093 words · ~30 min read
Why Cybersecurity and Quality Are One and the Same | Ep. 26 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 62 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of The Med Device Cyber Podcast, host Trevor Slattery is joined by Ashkon Rasooli, the Principal and Founder of Ingenious Solutions, a boutique consulting firm specializing in medical device software development. The conversation centers on the critical intersection of regulatory strategy, Quality Management Systems (QMS), and cybersecurity within the medical device industry. Ashkon shares insights from his extensive career, which spans the entire software development lifecycle, including coding, testing, product management, and a significant focus on QMS and regulatory affairs. He explains that his company assists early to mid-size medical device companies in navigating the complex landscape of software development, ensuring they establish effective quality systems and regulatory strategies from the outset.
The core argument of the episode is that software quality and cybersecurity are not separate disciplines but are fundamentally intertwined. Ashkon emphasizes that cybersecurity is, in essence, evidence of a quality product. Manufacturers who treat cybersecurity as an afterthought or a simple compliance checklist often face significant rework, increased costs, and regulatory hurdles down the line. The discussion highlights the importance of the "shift left" mentality, where quality and security are integrated into the earliest phases of product design and development. This proactive approach is contrasted with the common pitfall of addressing these critical aspects just before market submission, which is both inefficient and risky. Ashkon asserts that a well-implemented QMS, designed to meet customer requirements for safety and effectiveness as per standards like ISO 13485, will naturally encompass most necessary cybersecurity controls.
The podcast also explores the practical application of these principles in a rapidly evolving technological and regulatory environment. They discuss how cybersecurity failures can translate directly to patient harm, moving beyond data breaches to scenarios like "denial of care" where a compromised device is rendered unusable. Ashkon points out that the FDA's recent, more stringent guidance on cybersecurity is largely built upon existing standards, meaning that companies who were already diligent about risk management are likely ahead of the curve. The conversation touches upon the need for manufacturers to define their specific security requirements based on factors like product design (e.g., cloud connectivity, mobile apps), business model, and target geographic markets (e.g., US vs. EU). Ultimately, the episode serves as a guide for medical device innovators on how to build a strong foundation of quality and security to ensure both regulatory success and patient safety.
Key takeaways from this episode
Cybersecurity and software quality are inextricably linked; secure software is a definitive sign of high-quality software in medical devices.
Integrating Quality Management Systems (QMS) and cybersecurity early in the product development lifecycle—a "shift left" approach—is crucial for avoiding costly rework and regulatory delays.
A robust QMS, focused on safety and effectiveness, inherently addresses many cybersecurity requirements, and the two should not be treated as separate, siloed functions.
Cybersecurity failures in the medical field can have dire consequences beyond data breaches, potentially leading to a "denial of care" that directly harms patients.
The FDA and other regulatory bodies increasingly see cybersecurity as a core component of patient safety, making it a non-negotiable aspect of medical device design.
Manufacturers should proactively define their security needs based on their specific product design, business model, and the unique regulatory requirements of their target markets.
Most cyberattacks are opportunistic, targeting the easiest vulnerabilities. Therefore, maintaining a strong, foundational security posture is essential to avoid being the "lowest hanging fruit."
Effective risk management must account for intentional malicious actors, a key difference between cybersecurity risk and traditional safety risk, which often focuses on unintentional failures.
Full episode transcript
Page 1 of 7· Paragraphs 1 - 19
Host: Hello there and welcome back to another episode of the Med Device Cyber podcast.
Host: I'm your host Trevor Slattery and unfortunately our co-host Christian Espinosa is not able to make it on this one. He's tied up with some flight delays.
Host: Today we're going to be talking about some regulatory strategies and ensuring that we're getting quality systems put into place early and effectively in medical products. Some of the common regulatory pitfalls that we see a lot of manufacturers face. And then of course, how these regulations are going to apply to emerging technologies, namely AI and machine learning.
Host: Uh, I'm joined here by Ashkon from Ingenious Solutions. Um, how are you doing today?
Guest: Doing well. Thanks for having me on, Trevor.
Host: Perfect. Well, I'd love to hear a little bit about what you guys do over at Ingenious Solutions and then of course a little bit about yourself as well.
Guest: Yeah, and you know, the two stories obviously intertwine. Um, my, my name's Ashkon Rasooli, I'm the principal and founder of Ingenious Solutions and I have a long history of working on medical device software.
Guest: I belong to that niche group of people that understand regulatory requirements and software requirements intimately because I've kind of dabbled in different roles in the software development life cycle. Um, I've had roles coding, testing, product managing. And then most of my career ended up being in quality management system and regulatory affairs.
Guest: And all of that led me to creation of Ingenious Solutions which is a boutique consulting firm focused on medical device software development. And so what we do is we help early to mid-sized companies with quality management system or early regulatory strategy uh, consulting for medical device software.
Host: Got it. So you're ensuring that they're essentially getting their ducks in a row as far as their quality system, making sure that they're identifying any of the regulatory approaches that they'll need to take, of course the regulations that they adhere to and kind of helping them along that path.
Guest: One hundred percent exactly. You see, the requirements around software are basically very different from hardware. However, a lot of the regulations are old frameworks from the prehistoric old software for firmware days. And so it is a whole art and its own specialty to try to have a very streamlined approach to software quality management systems, and so that's what I specialize in.
Host: Definitely. Yeah, there's obviously a ton of complexity in software. And as the medical device landscape is evolving, pretty much everything has a software component now. Everything's connecting to the internet in one way or another.
Host: And so when we're introducing that software component, we're introducing a little bit of risk as well. And that's where it can tie into the cybersecurity side of things.
Host: Oftentimes, I feel like that is, they're portrayed as separate problems. You have your software issues, you have your cybersecurity issues. But they're very closely related.
Host: In my mind, cybersecurity is essentially evidence of quality software. If you have secure software, you have good software. And so, ensuring that you're building out your software with these considerations in mind is important, but it can be a little bit difficult. The guidance documents are complicated. There are, you know, how many ever standards floating around that manufacturers have to try to adhere to. So I'm sure there's a lot involved with getting that QMS set up properly.
Guest: One hundred percent. I think the idea that quality management system and cybersecurity are two different entities is flawed at its core and actually results in a lot of overhead. When you think about what a quality management system is about, uh, you know, 13485 was based on 9001 and at the end of the day, the stated objective of a quality management system is to meet customer requirements.
Guest: And when you look at the FDA regulations, you know, they talk about safety and effectiveness. And cyber security fits throughout all that.
Guest: Essentially, if you were actually being diligent long before the FDA got very stringent on cybersecurity, came out with all the guidances, with all the detailed requirements. If you were being diligent enough in terms of meeting your customer requirements, safety and effectiveness requirements, in your QMS, you would have already done almost all of the things that the FDA is asking you to do on the cybersecurity front. And so I really see the two as one and the same.
Host: I definitely agree. Yeah, and the whole point, you know, the, the standards that we're adhering to under FDA guidance, these aren't very new standards. The FDA guidance of course was came out in September of 2023, which is still fairly recent. But everything that it's based upon, um, you know, ISO 62304 and then AC 81001-5-1, uh, these aren't new. These are older than the FDA pre-market guidance. UL2900 is another example of that.