Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published May 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · May 1, 2025 This episode of The Med Device Cyber Podcast delves into the critical realm of postmarket surveillance for medical devices, addressing the ongoing need for security beyond pre-market approvals. Hosts Christian Espinosa and Trevor Slattery explore essential aspects of postmarket management, including coordinated vulnerability disclosure (CVD) systems, software Bill of Materials (SBOM) management, and continuous penetration testing. The discussion highlights the FDA's increasing emphasis on devices capable of receiving secure updates, contrasting with the challenges posed by legacy devices or those with inherently insecure update mechanisms. The hosts emphasize the importance of robust processes to handle newly discovered vulnerabilities, referencing real-world examples like the urgent need to address vulnerabilities in third-party libraries (e.g., Log4j, Shellshock, XC library). Furthermore, the episode clarifies misconceptions surrounding SBOMs, advocating for their transparency as a crucial tool for informed decision-making by consumers and for proactive risk management by manufacturers. This episode is a must-listen for product security teams, regulatory leads, and engineers navigating the complexities of medical device cybersecurity in the postmarket phase.
Key Takeaways
- Coordinated Vulnerability Disclosure (CVD) systems are crucial for responsibly managing vulnerabilities discovered by external researchers, fostering a safer ecosystem.
- Maintaining an up-to-date Software Bill of Materials (SBOM) is critical for identifying and mitigating risks associated with third-party software components throughout a device's lifecycle.
- The ability to securely deploy over-the-air (OTA) updates is increasingly important, but manufacturers must also plan for secure manual update processes for devices incapable of OTA updates.
- Continuous penetration testing after market release is essential to adapt to evolving threat landscapes and new vulnerability discoveries.
- Transparency regarding SBOMs empowers consumers to make informed decisions and aids manufacturers in proactive risk management, rather than serving as a blueprint for attackers.
- Manufacturers must prioritize addressing vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) database due to their high risk of active exploitation.
- Anomaly detection and evaluation are vital postmarket activities to identify unusual device behavior that may indicate a cyber security vulnerability.
- Network segmentation is paramount to protect hospital networks from potentially insecure medical devices and to prevent lateral movement of threat actors.
- The FDA is pushing for faster adoption of secure practices for medical device cybersecurity, acknowledging the urgent need for better security in a landscape where over 50% of devices had known critical vulnerabilities in 2023.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.