Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Podcast · Episode 25

    Cybersecurity Labeling and MedTech Transparency

    With MedTech leader - Why is cybersecurity labeling more than just a compliance checkbox for medical device companies? In this episode, Christian and Trevor dive into the nuanced world of cybersecurity labeling for medical devices.

    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Listen now

    Key takeaways

    • Cybersecurity labeling provides transparent information to users about a medical device's security features, risks, and recommended best practices.
    • Labeling empowers consumers, such as hospitals and patients, to make informed purchasing and usage decisions and holds manufacturers accountable for product security.
    • Standardized documentation like the MDS2 and JSP2 are crucial for structuring and communicating security information, with the FDA recommending both for comprehensive labeling.
    • Effective labeling promotes 'security through transparency,' a modern approach that replaces 'security through obscurity' by openly disclosing security details.
    • Manufacturers often face challenges in labeling due to a lack of detailed internal documentation from the development process, making accurate and complete disclosures difficult.
    • The level of detail required for labeling varies by audience, necessitating clear, simple guidance for end-users and detailed technical specifications for hospital IT administrators.
    • Disclosing outdated security measures, such as older encryption protocols, is essential for transparency and can act as a control by deterring the purchase of insecure products.
    • While the FDA sets minimum labeling standards, healthcare organizations (HDOs) frequently impose stricter, more extensive requirements that manufacturers must meet to market their products effectively.

    Why is cybersecurity labeling more than just a compliance checkbox for medical device companies?

    In this episode, Christian and Trevor dive into the nuanced world of cybersecurity labeling for medical devices. They discuss the role of MDS2 and JSP2 documentation, labeling misconceptions, and how manufacturers can best disclose security information without overwhelming or misleading users.

    Key points:

    (6:30) Misconceptions About Cybersecurity Labeling

    • Many manufacturers worry that disclosing risks will aid hackers, but that's flawed thinking.

    • Distinctions between labeling as documentation and labeling as a control like a tamper-evident seal.

    • Everyday product examples to illustrate why transparency in labeling matters.

    (12:45) How Much Detail Is Enough?

    • How deep a manufacturer should go with disclosures about encryption and risk.

    • Why more detail is generally better and how to balance tech jargon with user readability.

    • Different labeling needs based on whether a device is for consumers or hospitals.

    (18:20) Context, Risk, and Communication

    • Why not encrypting unnecessary data can backfire if a consumer is misinformed.

    • How labeling must be contextual and tailored to a device’s function and data sensitivity.

    Resources mentioned in this episode:

    • The Manufacturer Disclosure Statement for Medical Device Security (generally abbreviated as MDS2).

    • The Medical Device and Health IT Joint Security Plan, version 2 (JSP2).

    Notable quotes

    “Labeling is the information that a manufacturer or a MedTech innovator needs to portray to users and patients. This is essentially, under the cybersecurity context, what risk are they taking on by using the product, and how can they work to mitigate that risk?”
    - Christian Espinosa
    “It's the opposite of, what do they say, security through obscurity, right? Exactly, it's security through transparency.”
    - Christian Espinosa
    “MDS2s aren't the only standardized approach towards labeling. Typically, what we recommend is a mix between the MDS2 and the JSP2, which is a Joint Security Plan.”
    - Christian Espinosa
    “The labeling would be you would tell the user of the product if you notice this seal is broken, assume the device is compromised and no longer use it. That would be the labeling portion that ties to the control. It's the labeling for the labeling.”
    - Christian Espinosa

    Frequently asked questions

    More episodes

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.