Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published July 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · July 1, 2025 This episode of The Med Device Cyber Podcast features Ash Garuli, principal and founder of Ingenious Solutions, discussing the critical intersection of cybersecurity and quality management in medical device development. Together with host Trevor Slatterie, Ash tackles common regulatory pitfalls and the evolving landscape of medical device cybersecurity regulations. The conversation emphasizes that a robust Quality Management System (QMS) inherently encompasses cybersecurity, highlighting how a diligent QMS, even prior to stringent FDA guidance, would have addressed most current cybersecurity requirements. They delve into the specific challenges posed by software components in medical devices, particularly with emerging technologies like AI/ML, and the misconception that cybersecurity is a mere checklist activity rather than an integral aspect of product safety and effectiveness. The discussion also covers the nuances of FDA guidance, including the distinction between "cyber devices" and the evolving understanding of risk assessment, moving beyond probabilistic scoring to exploitability factors. Ultimately, this episode underscores the shared responsibility of manufacturers, end-users, and even patients in maintaining medical device cybersecurity, advocating for a "shift left" approach to integrate quality and security early in the product development lifecycle.
Key Takeaways
- A robust Quality Management System (QMS) in medical device development should inherently integrate cybersecurity, treating them as inseparable components rather than distinct problems.
- Early identification of regulatory requirements, business models, and product design is crucial for establishing an effective cybersecurity management system that meets specific market needs and compliance standards.
- The medical device industry must foster a culture of quality and cybersecurity across the entire team, recognizing that a cybersecurity failure can directly lead to patient harm and delayed healthcare services.
- Risk management in medical device cybersecurity should move beyond probabilistic scoring to focus on exploitability factors, such as the complexity of an attack, required access levels, and impact on patient safety.
- Manufacturers must provide artifacts like SBOMs and comprehensive labeling to enable end-users and healthcare systems to adequately manage and respond to cybersecurity vulnerabilities, fostering a shared responsibility for medical device security.
- Integrating cybersecurity and quality assurance early in the product development process reduces rework, lowers costs, and positions products competitively by making security a differentiating advantage.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.