How have medical device cybersecurity requirements changed since 2023, and what does this mean for your product development?

In this episode, Christian and Trevor welcome Monica Montañez from NAMSA to unpack the evolving landscape of FDA cybersecurity requirements. From new laws introduced in 2023 to the ambiguous language in FDA guidance, they dig into what it really takes to meet expectations for cyber device submissions. 

(0:32) NAMSA and Industry Shifts

* Monica introduces NAMSA’s role in regulatory and quality consulting.

(5:12) FDA Guidance vs. Legal Mandate

* The confusion around FDA’s "recommended" language.

* How internet-connectivity defines cyber devices—including USB and Bluetooth.

(12:57) Classifications, Interfaces, and Testing Gaps

* The dangers of assuming interfaces are disabled.

* Why early cybersecurity design is now critical for approval.

(18:08) New Submission Expectations

* What’s now required in a submission: threat models, risk assessments, lifecycle documentation.

* Trevor explains how these requirements balloon documentation to hundreds of pages.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Thanks to Monica Montañez for being on the show. 

Learn more about Monica on NAMSA’s website:

https://namsa.com/expertise/team/monica-r-montanez/ 

Connect with Monica on LinkedIn: https://www.linkedin.com/in/monica-montanez-ms-rs-rac-cqa-4389336  

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber. 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts

This episode was produced by Story On Media: https://www.storyon.co/ 

Join Trevor Slattery, Director of Cybersecurity, and Christian Espinosa, CEO of Blue Goat Cyber, for a comprehensive webinar on medical device cybersecurity. 

Trevor and Christian explore the critical interplay between safety and security risk management, offering guidance on conducting effective risk assessments that address vulnerabilities across both domains. 

This presentation will give you a deeper understanding of key standards like ISO 14971 and AAMI TIR57 and learn how to implement robust risk management frameworks. Equip yourself with the knowledge needed to ensure both patient safety and data security in medical devices!

Blue Goat Cyber is a group of cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Director of Medical Device Cybersecurity at Blue Goat Cyber. 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

For more content on medical device cybersecurity, check out The Med Device Cyber Podcast, your essential resource. In each episode, we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, subscribing to the Med Device Cyber Podcast will help you safeguard patient safety. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

This webinar was produced by Story On Media & Marketing: https://www.successwithstories.com

What are the four security architecture views that the FDA prioritizes, and how do they impact your device's design?

This episode explores the FDA-defined security architecture views essential for medical device cybersecurity. Christian and Trevor break down the four views—global system, updatability/patchability, multi-patient harm, and secure use cases—with real-world examples and practical advice. 

Key points: 

(5:25) The Global System View

* Companion apps and cloud infrastructure must be part of the device scope.

* Many device manufacturers overlook update infrastructure in this view.

* Distinguishing in-scope versus out-of-scope components is a common challenge.

(12:52) Updatability and Patchability

* Secure update procedures must cover the entire lifecycle.

* FDA wants manufacturers to consider both infrastructure and delivery integrity.

* A weak development environment can compromise update trustworthiness.

(18:21) Multi-Patient Harm Scenarios

* Risk is based on the scope and scale of potential compromise.

* Even small devices can cause large-scale issues depending on their connectivity.

(23:09) Secure Use Case Views and Closing Advice

* Every device function should have a corresponding security consideration.

* Functional requirements can guide secure use case documentation.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber. 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts

This episode was produced by Story On Media: https://www.storyon.co/ 

How can you integrate relevant cybersecurity standards early in your medical device development process? Also, how do FDA cybersecurity standards help reduce the time to market for new medical devices?

In this episode, Trevor Slattery, CTO of Blue Goat Cyber, and Jordan John, Director of Regulatory Affairs and Compliance at Blue Goat Cyber, explore: 

* The importance of integrating standards into the QMS from the start.

* How TIR57 complements ISO 14971 for security risk management.

* Why cybersecurity must be operational, not just documented.

* IEC 62304 and its role in secure software lifecycle processes.

* ISO/IEC 81001-5-1 is covered as a framework for secure product development.

* NIST SP 800-115 is explored as a guide for FDA-compliant penetration testing.

* How FDA guidance ties all the standards together.

This episode was brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

This was produced by Story On Media: https://www.storyon.co/ 

How can shared responsibility models improve healthcare cybersecurity?

In this episode, Greg Garcia joins Christian and Trevor to break down the evolving landscape of medical device cybersecurity from a national policy perspective. Together, they discuss the legacy device challenge, shared accountability, and how sector-wide collaboration is critical to progress. The episode drives home the message that cybersecurity is not just technical—it’s foundational to patient safety and innovation.

Greg Garcia is one of the people shaping the future of critical infrastructure cybersecurity—and he’s got the track record to back it up. As executive director of the Health Sector Coordinating Council Cybersecurity Working Group, he’s all about connecting the dots between policy, industry, and patient safety.

Key points: 

(1:30) Cyber in Critical Infrastructure

* Greg’s career path from Homeland Security to health sector leadership.

* The Health Sector Coordinating Council’s mission.

(10:35) The Legacy Device Dilemma

* Medical device cybersecurity suffers from the finger-pointing between HDOs and MDMs.

* Managing unsupported devices and contractual accountability.

(18:05) Budget Gaps and Cultural Challenges

* Rural hospitals and underfunded providers struggle to keep up with cybersecurity expectations.

* The case for regulatory mandates to level the playing field.

(31:47) Regulation, Risk, and Big Ideas

* The idea of Authorization to Operate (ATO) for health tech.

* Comparisons to Department of Defense (DoD) and FedRAMP models are raised as a vision for healthcare.

(40:12) Culture Over Compliance

* Why data shows low medical device exploitation—but that’s no reason to relax.

* How to make “secure by default” a reality.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Thanks to Greg Garcia for being on the show. Connect with Greg Garcia on LinkedIn: https://www.linkedin.com/in/gregorytgarcia/ 

Learn about  the Health Sector Coordinating Council: https://healthsectorcouncil.org/ 

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber. 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts

This episode was produced by Story On Media: https://www.storyon.co/ 

How well does your security strategy cover the entire product lifespan—from concept to decommissioning?

This episode dives into the importance of the Total Product Lifecycle (TPLC) and Secure Product Development Framework (SPDF) in medical device cybersecurity. Christian and Trevor share stories, best practices, and pitfalls from real-world cases involving update security, insecure development environments, and overlooked decommissioning risks. 

Key points: 

(1:50) Intro to TPLC and SPDF

* The importance of TPLC and SPDF in secure development.

(7:00) Update Vulnerabilities and OTA Risks

* An example of compromised keys in an otherwise secure over-the-air (OTA) process.

* Trade-offs between update convenience and security.

(12:16) Threat Modeling 

* Threat modeling’s application to development environments.

* The overlooked risks of data storage locations and natural disasters.

(17:24) Infrastructure Challenges 

* How clients struggled with infrastructure across hospital environments.

* How scripts and hardcoded passwords can introduce risk.

(19:56) Building a SPDF That Works

* Best practices: coding standards, multi-layer review, and automated testing.

* Secure development is like planning for your own death—it’s hard, but necessary.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber. 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts

This episode was produced by Story On Media: https://www.storyon.co/ 

How can medical device startups avoid missteps in cybersecurity, quality, and compliance? 

In this episode, Trevor Slattery speaks with Ashkon Rasooli about the intersection of quality systems and cybersecurity in medical devices. They unpack why treating cybersecurity as a bolt-on checklist is ineffective and even dangerous. They also discuss regulatory realities, risk management frameworks, and how early-stage teams can avoid costly pitfalls by planning smarter from the start.

Ashkon Rasooli is the CEO of EnGenius Solutions, a boutique consulting firm focused on medical device software development. With a background in both hands-on coding and compliance, Ashkon helps medtech startups navigate quality systems and regulatory strategy. 

Key points: 

(0:31) Why Regulations and Cybersecurity Are Intertwined

* How EnGenius helps small medtech companies plan early.

* Challenging the idea that cybersecurity and QMS are separate disciplines.

(7:12) Planning Cybersecurity Early 

* Business model, product design, and geography all shape your compliance path.

(12:16) Culture Over Checklists in MedTech Security

* Ashkon’s “Non-BS Manifesto” based on Agile principles.

* Real-world examples of ransomware causing patient harm.

(20:38) Why Probabilistic Risk Scoring Falls Short

* How exploitability trumps probability in FDA guidance.

* How cybersecurity attackers differ from typical safety failures.

(28:14) Planning Compliance

* Dick Cheney’s pacemaker becomes a cautionary tale of targeted threats.

Thanks to Ashkon Rasooli for being on the show. Connect with him: https://www.linkedin.com/in/ashkonrasooli 

Check out EnGenius Solutions: https://www.engeniussolutions.com

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber. 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts

This episode was produced by Story On Media: https://www.storyon.co/ 

Why is cybersecurity labeling more than just a compliance checkbox for medical device companies?

In this episode, Christian and Trevor dive into the nuanced world of cybersecurity labeling for medical devices. They discuss the role of MDS2 and JSP2 documentation, labeling misconceptions, and how manufacturers can best disclose security information without overwhelming or misleading users.

Key points: 

(6:30) Misconceptions About Cybersecurity Labeling

* Many manufacturers worry that disclosing risks will aid hackers, but that's flawed thinking.

* Distinctions between labeling as documentation and labeling as a control like a tamper-evident seal.

* Everyday product examples to illustrate why transparency in labeling matters.

(12:45) How Much Detail Is Enough?

* How deep a manufacturer should go with disclosures about encryption and risk.

* Why more detail is generally better and how to balance tech jargon with user readability.

* Different labeling needs based on whether a device is for consumers or hospitals.

(18:20) Context, Risk, and Communication

* Why not encrypting unnecessary data can backfire if a consumer is misinformed. 

* How labeling must be contextual and tailored to a device’s function and data sensitivity.

Resources mentioned in this episode: 

* The Manufacturer Disclosure Statement for Medical Device Security (generally abbreviated as MDS2). 

* The Medical Device and Health IT Joint Security Plan, version 2 (JSP2).

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber. 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts

This episode was produced by Story On Media: https://www.storyon.co/ 

Med device manufacturers, are you setting up your quality system early enough in product development? Also, are you misunderstanding the FDA’s "guidance" documents—and risking rejection?

Today’s guests are Mark Swanson and Steve Gompertz of QRx Partners, and they’re passionate about helping medtech companies dodge the regulatory and quality pitfalls that derail so many startups. This episode explores how to classify your device properly, why cybersecurity documentation is required even for isolated software, and the evolving role of AI in medical technology. 

Key points: 

(02:11) Startup Failure and What QRx Solves

* Why many early-stage medtech startups fail.

* Startup optimism is contrasted with the harsh funding and regulatory realities.

(12:16) Classification Chaos and Regulatory Missteps

* The confusion around FDA’s product code database.

(17:55) AI and Quality Systems

* What qualifies as actual AI vs. marketing fluff.

* How regulators handle AI in submissions.

(31:22) National Vs State Regulations

* The critical need for manufacturers to understand state regulations. 

* Why quality and regulatory planning must precede design.

Thanks to Mark Swanson and Steve Gompertz for being on the show. 

Connect with Mark on LinkedIn: https://www.linkedin.com/in/markswansoncmq

Connect with Steve on LinkedIn: https://www.linkedin.com/in/stevegompertz

Learn more about QRx Partners: https://www.qrxpartners.com

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber. 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts

This episode was produced by Story On Media: https://www.storyon.co/ 

What should you do when a vulnerability is discovered in a medical device after it's already on the market?

This dives into post-market management and incident response for medical devices, exploring what happens when a device is hacked or a vulnerability is reported. Christian Espinosa and Trevor Slattery discuss the processes involved in identifying, triaging, and remediating vulnerabilities, emphasizing the unique challenges faced in the medical device sector. 

Key points: 

(8:01) Sources of Vulnerabilities and Tracking

* There are various sources for discovering vulnerabilities, including software bill of materials, CISA-CAV, annual penetration tests, coordinated vulnerability disclosure databases, etc. 

* Standards and guidance for post-market management, including TIR-97 and FDA guidance.

(13:08) Managing False Positives and Risk Triage

* False positives are instances where a testing tool or scanner indicates a problem that doesn't actually exist.

* The critical importance of thoroughly investigating false positives in the post-market phase to avoid unnecessary fixing non-issues.

* The triage process for vulnerabilities. 

(21:11) Exploitability and Coordinated Vulnerability Disclosure

* How exploitability factors, like authentication levels, proximity, and attack complexity, can change in the post-market phase.

Resources mentioned in this episode: 

* TIR-97: AAMI standard for post-market cybersecurity management

* FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber. 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts

This episode was produced by Story On Media: https://www.storyon.co/