{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"MedTech Speed to Data","title":"The Real Cost of Adding Cybersecurity Late in Medical Device Development : 44","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/fe4653c3\"></iframe>","width":"100%","height":180,"duration":1696,"description":"Design for Security from the Start: Making Medical Device Cybersecurity More ResilientMedTech innovation is revolutionizing healthcare but is also introducing new cyberattack vectors that can put manufacturers, hospitals, and patients at risk.In Episode 44 of the MedTech Speed to Data Podcast, Key Tech VP of Business Development Andy Rogers and Senior Computer Engineer Jamie Kendall discuss the FDA’s latest cybersecurity guidance.Need to knowSmart, connected devices have greater risks — Medical devices are emerging vectors for bad actors targeting the healthcare industry.FDA’s 2025 cybersecurity guidance update — The agency recommends risk-based development frameworks to make device cybersecurity more resilient.Clarifying “cyber devices” — The FDA’s guidance applies to any medical device that runs software and could connect to the Internet.The nitty-gritty“Cybersecurity was always baked into our process,” Jaime explains. More specifically, Key Tech has adapted the TIR57 risk-based standard for managing medical device security to the new rules. “[The FDA’s] 2023 guidance really laid the groundwork for our latest process. We’ve tweaked it slightly with the [latest update]. There are more explicit documentation requirements around vulnerability monitoring and more details on the software bill of materials (SBOMs).”Jamie goes on to describe how Key Tech’s cybersecurity risk management plan informs product development. The security team starts by developing a threat model based on evaluations of data flows, data storage, and the cybersecurity activities protecting that data. “One of the first things that we always do is a threat model. This is a visual model of the system to show the elements of the device, where data is flowing, and where your trust boundaries are. This is a one-page, digestible visual that everyone can look at, assess, and go ‘yep, that makes sense’ and then build your initial architecture and risk assessment based on that.”The security team...","thumbnail_url":"https://img.transistorcdn.com/D6hMCysuuZpZO9MQfRbgtr2o9UZ_Mtc0h1qVAxU8GII/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS83MGQ2/N2MwMDdmNTRmOTRl/M2Y0MTcyNjAwN2Mz/OWRlZi5qcGc.webp","thumbnail_width":300,"thumbnail_height":300}