At Vigilant Ops, we know the cybersecurity challenges facing today’s medical device manufacturers aren’t just complex — they’re evolving faster than ever. That’s why we recently participated in Greenlight Guru’s webinar “Cybersecurity and Hidden Threats in Medical Devices” to tackle the tough questions on SBOM management, cybersecurity compliance, and risk mitigation for regulated medical technologies.
We received a number of questions from attendees — ranging from technical hurdles to regulatory strategy. Below are some key takeaways from the Q&A that followed the session.
Risk Management Shouldn’t Be in a Vacuum
As emphasized in TIR57 and ISO 14971, cybersecurity risk must be assessed alongside overall device safety and performance. Residual cybersecurity risks require the same benefit-risk evaluation as traditional safety risks — they’re part of the same risk picture. This holistic approach is essential to align with FDA expectations.
SBOM Format Interoperability
CycloneDX and SPDX are the two most common SBOM formats, and yes — integrating them can be tricky. But with tools like cdx2spdx and platforms like Vigilant Ops that automate format translation and normalization, these challenges are manageable and shouldn’t slow you down.
What About PenTesting?
Penetration testing, while not mandated by FDA, is increasingly expected — especially for Software as a Medical Device (SaMD). Including pentest reports in submissions is a growing best practice, particularly when vulnerabilities rise above moderate severity.
AI Brings New Risk
The use of AI in medical software introduces novel attack surfaces. Standards like AAMI TIR34971:2023 provide guidance for adapting ISO 14971 to AI/ML risk scenarios — and should be part of any AI-based medical device risk strategy.
Vulnerability Overload? Prioritize.
With thousands of CVEs published regularly, not every vulnerability is relevant. Use frameworks like KEV (Known Exploited Vulnerabilities) and EPSS (Exploit Prediction Scoring System) — and evaluate how each component is used in your actual product. Vigilant Ops helps streamline this with automated scoring and continuous monitoring.
Still Tracking CVEs in Excel?
It might seem manageable, but managing CVEs in a separate spreadsheet introduces major inefficiencies and risks. Automation is key to keeping SBOMs updated with real-time vulnerability data. Our platform links CVEs to SBOM components and continuously updates vulnerability status.
Want to Stay Current?
For high-level cybersecurity insights, we recommend CISA, Cyber Defense Magazine, Help Net Security, and Gartner. These resources are great for both technical and regulatory professionals keeping tabs on cybersecurity trends.
Download the Full Webinar Q&A
Want deeper insight? We’ve compiled all your questions — and our detailed answers — into a downloadable PDF. [Click here to get your copy].
