Listen now
Key takeaways
- Cybersecurity and medical device software quality are intrinsically linked, with secure software indicating a high-quality product.
- Implementing a "shift left" approach by integrating Quality Management Systems (QMS) and cybersecurity early in development prevents rework and regulatory delays.
- A robust QMS, designed for safety and effectiveness per standards like ISO 13485, naturally incorporates essential cybersecurity controls.
- Cybersecurity failures in medical devices can extend beyond data breaches to "denial of care," directly impacting patient safety.
- The FDA views cybersecurity as integral to patient safety, making it a mandatory component of medical device design.
- Manufacturers must define security requirements based on product design (e.g., cloud connectivity), business model, and target market regulations (e.g., US vs. EU).
- Effective risk management in medical devices must specifically account for intentional malicious actors, differentiating it from traditional safety risk assessments.
- The FDA's current stringent cybersecurity guidance builds upon existing standards like ISO 62304, rewarding manufacturers with proactive risk management. Measures for FDA Section 524B.
How can medical device startups avoid missteps in cybersecurity, quality, and compliance?
In this episode, Trevor Slattery speaks with Ashkon Rasooli about the intersection of quality systems and cybersecurity in medical devices. They unpack why treating cybersecurity as a bolt-on checklist is ineffective and even dangerous. They also discuss regulatory realities, risk management frameworks, and how early-stage teams can avoid costly pitfalls by planning smarter from the start.
Ashkon Rasooli is the CEO of EnGenius Solutions, a boutique consulting firm focused on medical device software development. With a background in both hands-on coding and compliance, Ashkon helps MedTech startups navigate quality systems and regulatory strategy.
Key points:
(0:31) Why Regulations and Cybersecurity Are Intertwined
-
How EnGenius helps small MedTech companies plan early.
-
Challenging the idea that cybersecurity and QMS are separate disciplines.
(7:12) Planning Cybersecurity Early
- Business model, product design, and geography all shape your compliance path.
(12:16) Culture Over Checklists in MedTech Security
-
Ashkon’s “Non-BS Manifesto” based on Agile principles.
-
Real-world examples of ransomware causing patient harm.
(20:38) Why Probabilistic Risk Scoring Falls Short
-
How exploitability trumps probability in FDA guidance.
-
How cybersecurity attackers differ from typical safety failures.
(28:14) Planning Compliance
- Dick Cheney’s pacemaker becomes a cautionary tale of targeted threats.
Check out EnGenius Solutions: https://www.engeniussolutions.com
Notable quotes
“In my mind, cybersecurity is essentially evidence of quality software. If you have secure software, you have good software.”
“I think the idea that quality management system and cybersecurity are two different entities is flawed at its core and actually results in a lot of overhead.”
“If you were being diligent enough in terms of meeting your customer requirements, safety, and effectiveness in your QMS, you would have already done almost all of the things that the FDA is asking you to do on the cybersecurity front.”
Frequently asked questions
More episodes
Keep listening
-
Episode 70
Why MedTech Needs Specialists with Zoltan Kevei and Saby Toth of Bishop & Co
With Zoltan Kevei
-
Episode 69
Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital
With Varun Turlapati
-
Episode 68
Why MedTech Needs More Than Approval with Michael Branagan Harris of HealthTech Strategies Limited
With Michael Branagan Harris
-
Episode 67
De-Risking Product Decisions in MedTech Startups with Brent Lavin of Ironwood MedTech Partners
With Brent Lavin