Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published December 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · December 30, 2025 In this rapid-fire episode of The Med Device Cyber Podcast, Trevor Slattery provides expert answers to critical questions in medical device cybersecurity, offering invaluable insights for product security teams, regulatory leads, and engineers. The discussion covers essential standards such as IEC 62304 for software lifecycle processes and safety classifications, and ISO 14971, which outlines risk management in medical devices, emphasizing patient safety. The podcast further explores how AAMI TR57 extends ISO 14971 to security risk management and introduces AAMI TR97 for postmarket activities, alongside ANSI/UL 81001-5-1 for a secure total product lifecycle approach. Slattery clarifies key concepts like Secure Product Development Frameworks (SPDF) and the Total Product Lifecycle (TPLC), from design to decommissioning. He also delves into practical testing methodologies like fuzz testing and differentiates between black-box and white-box penetration testing. Additionally, the episode addresses the nuances of DICOM for medical imaging, the FDA’s definition of a "cyber device," and the critical role of Software Bill of Materials (SBOMs), including "software of unknown provenance" (SOUP). This episode is a concise yet comprehensive guide to navigating the complexities of medical device cybersecurity.
Key Takeaways
- IEC 62304 and ISO 14971 are foundational standards for medical device software development and patient safety risk management, respectively.
- AAMI TR57 adapts the risk management framework of ISO 14971 for cybersecurity, while AAMI TR97 focuses on postmarket security activities.
- A Secure Product Development Framework (SPDF) and a Total Product Lifecycle (TPLC) approach are crucial for integrating security from a medical device's design to its decommissioning.
- SBOMs are essential for listing all software components in a medical device, including both third-party and proprietary code, without exposing source code.
- The FDA defines a "cyber device" by the presence of validated software, network interfacing capabilities, and potential cybersecurity risk exposure.
- Static Application Security Testing (SAST) analyzes code without execution, whereas Dynamic Application Security Testing (DAST) evaluates code during runtime.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.