What are some of the biggest cybersecurity risks medical devices face after they hit the market?
This episode dives into the challenges of postmarket surveillance for medical devices. Christian and Trevor discuss vulnerabilities that emerge after deployment, how manufacturers and hospitals handle updates, and why continuous security testing is essential. They also cover penetration testing and the evolving regulatory landscape for medical device cybersecurity.
Key points:
-
The importance of postmarket surveillance in medical device cybersecurity.
-
How vulnerabilities in third-party libraries can create security risks.
-
The FDA’s push for over-the-air (OTA) updates and the associated attack vectors.
-
The necessity of a Coordinated Vulnerability Disclosure (CVD) system.
-
Why hospitals struggle with unpatchable medical devices in their networks.
-
The role of Software Bill of Materials (SBOM) in monitoring supply chain security.
-
How penetration testing identifies new threats even after a device is launched.
-
How attackers exploit known vulnerabilities in medical devices.
-
The misconception that cybersecurity is a one-time effort rather than an ongoing process.
Chapters:
(02:30) Medical Device Vulnerabilities
(05:45) Over-the-Air Updates
(10:20) Coordinated Vulnerability Disclosure
(15:15) SBOM in Medical Device Security
(20:45) Why Hospitals Struggle with Unpatchable Devices
(25:30) Continuous Penetration Testing
Resources mentioned in this episode:
-
CISA Known Exploited Vulnerabilities List: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
-
NTIA Software Bill of Materials Guidelines: https://www.ntia.gov/page/software-bill-materials
-
FDA Cybersecurity Guidance for Medical Devices: https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity
The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com
If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session
Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.
Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/
Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/
Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/
Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/
Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber
Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9
Feedback? Questions? Contact: https://bluegoatcyber.com/contact/
Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/
Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial
The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast.
Subscribe via Spotify: https://spoti.fi/3XX95g0
Subscribe via Apple Podcasts: https://apple.co/483OJ9I
Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts