Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Podcast · Episode 23

    Unpacking Post-Market Management and Incident Response for Medical Devices

    With MedTech leader - What should you do when a vulnerability is discovered in a medical device after it's already on the market? This dives into post-market management and incident response for medical devices, exploring what happens when a device is hacked or a vulnerability is reported.

    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Listen now

    Key takeaways

    • Incident response for medical devices includes identifying anomalies, root cause analysis, corrective actions, and preventative measures.
    • Not every detected anomaly signifies a malicious hack; thorough investigation is crucial to determine the event's true nature.
    • Post-market surveillance involves continuous monitoring of a device's Software Bill of Materials (SBOM) and tracking the CISA Known Exploited Vulnerabilities (KEV) catalog.
    • Coordinated Vulnerability Disclosure (CVD) programs are common avenues for discovering vulnerabilities, especially for Software as a Medical Device (SaMD).
    • Manufacturers must triage alerts and apply a specific risk methodology to assess confirmed vulnerabilities, as generic CVSS scores do not account for patient safety implications or a company's risk tolerance.
    • The security posture and exploitability of a medical device are dynamic, necessitating an evolving approach to post-market management to ensure patient safety and avoid costly recalls.
    • Ticketing systems, such as Jira, are valuable for documenting the lifecycle of vulnerability tracking and remediation for compliance and reporting purposes.

    What should you do when a vulnerability is discovered in a medical device after it's already on the market?

    This dives into post-market management and incident response for medical devices, exploring what happens when a device is hacked or a vulnerability is reported. Christian Espinosa and Trevor Slattery discuss the processes involved in identifying, triaging, and remediating vulnerabilities, emphasizing the unique challenges faced in the medical device sector.

    Key points:

    (8:01) Sources of Vulnerabilities and Tracking

    • There are various sources for discovering vulnerabilities, including software bill of materials, CISA-CAV, annual penetration tests, coordinated vulnerability disclosure databases, etc.

    • Standards and guidance for post-market management, including TIR-97 and FDA guidance.

    (13:08) Managing False Positives and Risk Triage

    • False positives are instances where a testing tool or scanner indicates a problem that doesn't actually exist.

    • The critical importance of thoroughly investigating false positives in the post-market phase to avoid unnecessary fixing non-issues.

    • The triage process for vulnerabilities.

    (21:11) Exploitability and Coordinated Vulnerability Disclosure

    • How exploitability factors, like authentication levels, proximity, and attack complexity, can change in the post-market phase.

    Resources mentioned in this episode:

    • TIR-97: AAMI standard for post-market cybersecurity management

    • FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices

    Notable quotes

    “Incident response is essentially the next steps after a breach, a vulnerability, or a hack has been uncovered. What is the corrective action? How do you figure out what led to this hack happening, and how do you prevent it from happening again?”
    - Trevor Slattery
    “It's not always a doomsday situation, you've been hacked. Often times it's just something weird going on, but you want to know whether or not someone was hacked or if it was just weird behavior.”
    - Christian Espinosa
    “In the medical space, luckily, the more common way that these vulnerabilities come up is through benevolent security researchers as opposed to malicious hackers.”
    - Trevor Slattery
    “The security posture and exploitability of a device are not static; they evolve as the device is used in the real world and as new exploits are developed.”
    - Christian Espinosa

    Frequently asked questions

    Bring this work to your device

    Need help with fda premarket cybersecurity?

    Blue Goat Cyber delivers fda premarket cybersecurity services for medical device manufacturers - from threat modeling to FDA-ready reports.

    FDA Premarket Cybersecurity Services

    More on FDA Premarket Cybersecurity

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.