Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Podcast · Episode 12

    Postmarket Surveillance and Anomaly Detection for Medical Devices

    With MedTech leader - What are some of the biggest cybersecurity risks medical devices face after they hit the market? This episode dives into the challenges of postmarket surveillance for medical devices.

    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Listen now

    Key takeaways

    • Post-market cybersecurity management is a continuous process throughout a medical device's entire lifecycle, extending long after initial market approval. This continuous management includes adherence to frameworks such as the FDA's Section 524B for postmarket surveillance.
    • Effective post-market management requires several key components, including a Coordinated Vulnerability Disclosure (CVD) program, active Software Bill of Materials (SBOM) management, and regular security testing.
    • An SBOM is not a static document; it must be continuously monitored against new vulnerability data, such as CISA's KEV catalog, to identify risks in third-party software components.
    • Manufacturers must have a secure plan for deploying updates, whether through Over-the-Air (OTA) mechanisms or manual installs, as the update process itself can be a significant attack vector.
    • A CVD system is vital for establishing a safe, legal, and efficient channel for security researchers and the public to report vulnerabilities, aligning with FDA recommendations for medical device cybersecurity.
    • Regular, annual penetration testing, guided by standards like AAMI TIR57, is critical because the threat landscape and attack techniques are constantly evolving, even if the device's code has not changed.
    • Anomaly detection, which involves identifying unusual behavior in device software, is an important method for discovering potential security issues that may not have been known during the pre-market phase.

    What are some of the biggest cybersecurity risks medical devices face after they hit the market?

    This episode dives into the challenges of postmarket surveillance for medical devices. Christian and Trevor discuss vulnerabilities that emerge after deployment, how manufacturers and hospitals handle updates, and why continuous security testing is essential. They also cover penetration testing and the evolving regulatory landscape for medical device cybersecurity.

    Key points:

    • The importance of postmarket surveillance in medical device cybersecurity.

    • How vulnerabilities in third-party libraries can create security risks.

    • The FDA’s push for over-the-air (OTA) updates and the associated attack vectors.

    • The necessity of a Coordinated Vulnerability Disclosure (CVD) system.

    • Why hospitals struggle with unpatchable medical devices in their networks.

    • The role of Software Bill of Materials (SBOM) in monitoring supply chain security.

    • How penetration testing identifies new threats even after a device is launched.

    • How attackers exploit known vulnerabilities in medical devices.

    • The misconception that cybersecurity is a one-time effort rather than an ongoing process.

    Notable quotes

    “What happens after the device is on the market? How do we make sure it stays secure, and if a vulnerability is found, how does a manufacturer update that vulnerability?”
    - Christian Espinosa
    “The main things that need to be covered is continued security through the supply chain, continued security through the public, which is where that vulnerability disclosure system comes into play, and then finding a way to fix things as they come up.”
    - Trevor Slattery
    “If I am to put something on a thumb drive, like a firmware update, and provide the instructions to a field technician, I have to make sure that that thumb drive is not compromised.”
    - Christian Espinosa
    “If you're unable to update a device, it can be a very involved process to make changes. So I'm curious on your thoughts on how to manage devices that are unable to receive updates once they're out in the field.”
    - Trevor Slattery

    Frequently asked questions

    Bring this work to your device

    Need help with fda premarket cybersecurity?

    Blue Goat Cyber delivers fda premarket cybersecurity services for medical device manufacturers - from threat modeling to FDA-ready reports.

    FDA Premarket Cybersecurity Services

    More on FDA Premarket Cybersecurity

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.