What should you do when a vulnerability is discovered in a medical device after it's already on the market?

This dives into post-market management and incident response for medical devices, exploring what happens when a device is hacked or a vulnerability is reported. Christian Espinosa and Trevor Slattery discuss the processes involved in identifying, triaging, and remediating vulnerabilities, emphasizing the unique challenges faced in the medical device sector. 

Key points: 

(8:01) Sources of Vulnerabilities and Tracking

* There are various sources for discovering vulnerabilities, including software bill of materials, CISA-CAV, annual penetration tests, coordinated vulnerability disclosure databases, etc. 

* Standards and guidance for post-market management, including TIR-97 and FDA guidance.

(13:08) Managing False Positives and Risk Triage

* False positives are instances where a testing tool or scanner indicates a problem that doesn't actually exist.

* The critical importance of thoroughly investigating false positives in the post-market phase to avoid unnecessary fixing non-issues.

* The triage process for vulnerabilities. 

(21:11) Exploitability and Coordinated Vulnerability Disclosure

* How exploitability factors, like authentication levels, proximity, and attack complexity, can change in the post-market phase.

Resources mentioned in this episode: 

* TIR-97: AAMI standard for post-market cybersecurity management

* FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com 

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session 

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber. 

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ 

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ 

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ 

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ 

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber 

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ 

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ 

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial 

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. 

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts

This episode was produced by Story On Media: https://www.storyon.co/