Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · Podcast

    Unpacking Post-Market Management and Incident Response for Medical Devices | Ep. 23

    This episode of The Med Device Cyber Podcast delves into the critical aspects of post-market management and incident response for medical devices. Hosts Christian Espinoza and Trevor Slatterie dissect the process of addressing vulnerabilities once a device is in the field, moving

    Hero illustration for the Podcast article: Unpacking Post-Market Management and Incident Response for Medical Devices | Ep. 23
    Christian Espinosa, Founder & CEO

    Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO

    Published July 2025 · Last reviewed May 2026

    The Med Device Cyber Podcast · July 1, 2025 This episode of The Med Device Cyber Podcast delves into the critical aspects of post-market management and incident response for medical devices. Hosts Christian Espinoza and Trevor Slatterie dissect the process of addressing vulnerabilities once a device is in the field, moving beyond traditional cybersecurity paradigms to focus on patient harm and data loss. They explore various sources of vulnerability discovery, including coordinated vulnerability disclosures (CVDs), static testing, fuzz testing, and the CISA Known Exploited Vulnerabilities (KEV) database. The discussion highlights the importance of a robust risk methodology to accurately triage vulnerabilities, emphasizing that scanner-assigned risk levels may not align with real-world impact in a medical context. The episode also touches upon FDA guidance, particularly concerning PMA and 510(k) devices, and the vital role of ticketing software like Jira in tracking and managing vulnerabilities. A significant point of discussion is the challenge of false positives in scanning tools and the evolving nature of exploitability in the post-market phase, urging manufacturers to continuously adapt their security processes.

    Key Takeaways

    • Incident response for medical devices prioritizes patient harm and data loss over traditional cybersecurity metrics.
    • Vulnerability discovery methods include coordinated vulnerability disclosures, static testing, fuzz testing, and continuous monitoring of the CISA KEV database.
    • Medical device manufacturers must have a clear process for triaging vulnerabilities using a risk methodology that accounts for clinical context and patient impact.
    • Ticketing software like Jira can effectively track, manage, and report on vulnerabilities, fulfilling FDA metrics requirements.
    • Post-market security processes must continuously evolve to address changing exploitability and new vulnerability landscapes, rather than relying on pre-market assessments.

    Listen on mdcpodcast.com · Watch on YouTube

    Listen to this episode

    Watch on YouTube

    Want help applying this to your own device program?

    Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.

    Related articles

    Keep reading

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.