Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Podcast · Episode 26

    Why Cybersecurity and Quality Are One and the Same

    With MedTech leader - How can medical device startups avoid missteps in cybersecurity, quality, and compliance? In this episode, Trevor Slattery speaks with Ashkon Rasooli about the intersection of quality systems and cybersecurity in medical devices.

    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Listen now

    Key takeaways

    • Cybersecurity and medical device software quality are intrinsically linked, with secure software indicating a high-quality product.
    • Implementing a "shift left" approach by integrating Quality Management Systems (QMS) and cybersecurity early in development prevents rework and regulatory delays.
    • A robust QMS, designed for safety and effectiveness per standards like ISO 13485, naturally incorporates essential cybersecurity controls.
    • Cybersecurity failures in medical devices can extend beyond data breaches to "denial of care," directly impacting patient safety.
    • The FDA views cybersecurity as integral to patient safety, making it a mandatory component of medical device design.
    • Manufacturers must define security requirements based on product design (e.g., cloud connectivity), business model, and target market regulations (e.g., US vs. EU).
    • Effective risk management in medical devices must specifically account for intentional malicious actors, differentiating it from traditional safety risk assessments.
    • The FDA's current stringent cybersecurity guidance builds upon existing standards like ISO 62304, rewarding manufacturers with proactive risk management. Measures for FDA Section 524B.

    How can medical device startups avoid missteps in cybersecurity, quality, and compliance?

    In this episode, Trevor Slattery speaks with Ashkon Rasooli about the intersection of quality systems and cybersecurity in medical devices. They unpack why treating cybersecurity as a bolt-on checklist is ineffective and even dangerous. They also discuss regulatory realities, risk management frameworks, and how early-stage teams can avoid costly pitfalls by planning smarter from the start.

    Ashkon Rasooli is the CEO of EnGenius Solutions, a boutique consulting firm focused on medical device software development. With a background in both hands-on coding and compliance, Ashkon helps MedTech startups navigate quality systems and regulatory strategy.

    Key points:

    (0:31) Why Regulations and Cybersecurity Are Intertwined

    • How EnGenius helps small MedTech companies plan early.

    • Challenging the idea that cybersecurity and QMS are separate disciplines.

    (7:12) Planning Cybersecurity Early

    • Business model, product design, and geography all shape your compliance path.

    (12:16) Culture Over Checklists in MedTech Security

    • Ashkon’s “Non-BS Manifesto” based on Agile principles.

    • Real-world examples of ransomware causing patient harm.

    (20:38) Why Probabilistic Risk Scoring Falls Short

    • How exploitability trumps probability in FDA guidance.

    • How cybersecurity attackers differ from typical safety failures.

    (28:14) Planning Compliance

    • Dick Cheney’s pacemaker becomes a cautionary tale of targeted threats.

    Check out EnGenius Solutions: https://www.engeniussolutions.com

    Notable quotes

    “In my mind, cybersecurity is essentially evidence of quality software. If you have secure software, you have good software.”
    - Trevor Slattery
    “I think the idea that quality management system and cybersecurity are two different entities is flawed at its core and actually results in a lot of overhead.”
    - Ashkon Rasooli
    “If you were being diligent enough in terms of meeting your customer requirements, safety, and effectiveness in your QMS, you would have already done almost all of the things that the FDA is asking you to do on the cybersecurity front.”
    - Ashkon Rasooli

    Frequently asked questions

    More episodes

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.