What is the 'secure by design' philosophy in medical device cybersecurity?

It's an approach where cybersecurity is integrated into the medical device development process from the very beginning, rather than being addressed as a later add-on. This ensures security is a foundational element throughout the product's lifecycle.

How does quantum computing pose a threat to medical device data?

Quantum computing is anticipated to be powerful enough to break current encryption standards. The 'harvest now, decrypt later' strategy involves attackers stealing encrypted data today with the intent to decrypt it once quantum computers are readily available, compromising sensitive health information.

What are the key differences in medical device cybersecurity regulations between the US, EU, and China?

The FDA in the US provides increasingly prescriptive guidance. The EU, through MDR and other acts, relies on broader standards. China's NMPA has unique requirements, including mandated encryption algorithms and cloud providers, often requiring product localization.

Why is early engagement with cybersecurity experts important for medical device manufacturers?

Engaging experts early helps manufacturers navigate complex regulatory and technical landscapes, develop a clear strategy, and implement cybersecurity measures cost-effectively, preventing costly redesigns and delays in market entry.

What is the importance of a Total Product Life Cycle (TPLC) approach to medical device cybersecurity?

A TPLC approach ensures that cybersecurity is managed throughout the entire product's existence, from design and development to post-market surveillance. This includes robust supply chain management and third-party risk assessment to cover all potential vulnerabilities.

Overcoming AI and Data Security Challenges in MedTech with…

By Christian Espinosa, MBA, CISSP

Founder & CEO · Blue Goat Cyber

Listen now

Key takeaways

Cybersecurity must be integrated into medical device development from the earliest stages, adhering to a "secure by design" philosophy rather than being an afterthought.
The "harvest now, decrypt later" threat from quantum computing necessitates immediate consideration of post-quantum cryptography to protect sensitive health data from future decryption.
Medical device manufacturers should proactively plan for post-quantum cryptographic methods and assess their feasibility for implementation on both new and legacy devices.
Global regulatory landscapes for medical devices, particularly in the US (the FDA), EU (MDR), and China (NMPA), differ significantly in their cybersecurity requirements.
China’s NMPA regulations often require unique approaches, such as specific domestic encryption algorithms and cloud providers, leading to potential product variations for that market.
The integration of AI and Machine Learning into medical devices introduces additional complexities for ensuring both cybersecurity and regulatory compliance across different markets.
Early engagement with regulatory and cybersecurity experts is crucial for developing a clear compliance strategy, mitigating risks, and achieving cost-effective market entry.
A comprehensive Total Product Life Cycle approach, including robust supply chain management and third-party risk assessment, is essential for effective cybersecurity in medical devices.

How can you prepare your device for future quantum computing risks?

In this episode of The Med Device Cyber Podcast, Christian and Trevor talk with May Lee of CS Life Sciences about the fast-changing world of medical device cybersecurity. They discuss the growing regulatory demands from the FDA, EU, and China, and why cybersecurity can no longer be an afterthought in device design. The conversation also dives into quantum computing, supply chain risks, and how manufacturers can balance compliance with innovation.

May Lee is a medical device consultant at CS Life Sciences who specializes in AI, machine learning, and cybersecurity. With experience ranging from startups to global corporations, she brings a practical perspective on navigating regulations and helping innovators bring safer devices to market.

(03:21) Why cybersecurity is moving from afterthought to design control.

(05:49) Key takeaways from the FDA’s finalized cybersecurity guidance.

(08:04) Comparing U.S. FDA and EU MDR cybersecurity requirements.

(10:44) How quantum computing raises new risks for health data.

(16:26) The balance between compliance, over compliance, and innovation.

(18:23) Differences in regulatory approaches across the U.S., EU, and China.

(28:05) Why third-party supply chain and software components matter for device security.

(32:48) When medical device companies should engage cybersecurity consultants.

Notable quotes

“It's moving out of thinking about compliance maybe at a later stage or like post-launch security compliance. But now it's really weaving the security requirements into design control itself, thinking about those security aspects right from the very start.”

- May Lee

“The whole 'harvest now, decrypt later' problem is due to the fact that we're currently not using, in most applications, future-proofed encryption methodologies.”

- Trevor Slattery

“The FDA guidance is very mature from what we can see for a lot of different countries' regulations. EU MDR and EU cybersecurity regulations try to lean on certain other standards.”

- Trevor Slattery

“If you can present your case and say, 'This data is not sensitive. It doesn't need to be encrypted,' they're going to be understanding of that.”

- Trevor Slattery

Frequently asked questions

Bring this work to your device

Need help with sbom management?

Blue Goat Cyber delivers sbom & supply chain services for medical device manufacturers - from threat modeling to FDA-ready reports.

SBOM & Supply Chain Services

Overcoming AI and Data Security Challenges in MedTech with May Lee

Key takeaways

Notable quotes

Read the conversation

Frequently asked questions

Need help with sbom management?

Untangling Software Composition Analysis for MedTech Teams

Vulnerability, Penetration & Other Cybersecurity Testing Types Explained

Why MedTech Needs Specialists with Zoltan Kevei and Saby Toth of Bishop & Co

Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital

Get FDA cleared without the cybersecurity headaches.

Overcoming AI and Data Security Challenges in MedTech with May Lee

Key takeaways

Notable quotes

Read the conversation

Frequently asked questions

Need help with sbom management?

Keep listening

Untangling Software Composition Analysis for MedTech Teams

Vulnerability, Penetration & Other Cybersecurity Testing Types Explained

Why MedTech Needs Specialists with Zoltan Kevei and Saby Toth of Bishop & Co

Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital

Get FDA cleared without the cybersecurity headaches.