#63: Melissa Rhodes: Leading Product Security at Medtronic
We sat down with Melissa Rhodes, the Product Security Program Manager at Medtronic and an MDM security thought leader for a fun and insightful conversation about SBOMs and her journey from firmware engineering to leading product security.
About Melissa Rhodes
Melissa Rhodes is the Product Security Program Manager at Medtronic. Melissa is a seasoned expert and manager in the medical device security world, with over 25 years of experience as a firmware engineer, systems engineer, and now a product security program manager at Medtronic – one of our favorite customers. Throughout her distinguished career, Melissa has established herself as one of the most innovative and forward-thinking individuals in the medical device security space.A Summary of Our Conversation with Melissa
In this episode of Left to Our Own Devices: The Product Security Podcast, Melissa Rhodes, Product Security Program Manager at Medtronic, shares her extensive experience in the medical device industry and product security. With over 25 years of expertise, Melissa walks us through her professional journey, the challenges of securing medical devices, and her pioneering role in advancing software bill of materials (SBOMs). The conversation explores her career trajectory, the importance of SBOMs in product security, the value of diversity in teams, and her broader mission of ensuring patient safety across the medical device industry.Career Journey and Early Years at Medtronic
Melissa begins by recounting her path into the world of medical devices, starting at Louisiana Tech University, where she pursued biomedical engineering. At the time, biomedical engineering was a relatively new field, which she found exciting because of her natural inclination toward exploring uncharted territories. This desire to venture into new spaces shaped her career, eventually leading her to Medtronic, where she began working as a firmware test engineer shortly after graduating in the late 1990s.
Though Melissa did not have significant software experience in college, her role at Medtronic provided her with valuable knowledge about testing software, which became the foundation for her subsequent career development. After two years, she transitioned into systems engineering, a role that allowed her to oversee product development from requirement stages through to verification, validation, and market release. This gave her a deep understanding of product lifecycles and paved the way for her move into the field of cybersecurity, which had not yet become a major focus in medical devices during her early career.
The Importance of SBOMs and Consistency
Melissa highlights her role in Medtronic’s product security office, where her primary focus has been on SBOMs. For over two years, she has worked on ensuring Medtronic is prepared to create, submit, and manage SBOMs, both internally and externally. She explains that SBOMs are crucial for monitoring software vulnerabilities and ensuring the security of marketed products.
One of the key points Melissa emphasizes is the need for consistency and global standards when it comes to SBOMs. Consistency, both within Medtronic and across the industry, is essential for efficient analysis and monitoring of software components. Melissa stresses that a consistent SBOM format makes it easier for organizations to assess vulnerabilities and maintain the security of their products. She advocates for SBOMs that are uniform in content, availability, and format, making them more usable and interoperable across different tools and platforms.
On the global scale, Melissa explains that “global” in the context of SBOMs at Medtronic refers to consistency across all business units, regardless of their geographical location. However, when discussing SBOMs at the industry level, “global” means fostering consistency not just within the medical device industry, but across all sectors that produce software. This is particularly important as software developed in one sector often finds its way into medical devices. By promoting a consistent approach to SBOMs across industries, it becomes easier for medical device manufacturers to integrate third-party components into their products securely.
Challenges in the Healthcare and Medical Device Space
When asked about the biggest challenges in the medical device and healthcare delivery organization (HDO) space today, Melissa discusses the regulatory landscape and the difficulty of implementing transparency with customers. While regulations require transparency, particularly regarding vulnerabilities in marketed products, the infrastructure to support this transparency is often lacking. SBOMs provide a framework for tracking and managing software vulnerabilities, but many companies struggle with how to communicate these vulnerabilities effectively to customers.
One of the major hurdles, according to Melissa, is the potential for customers to misinterpret SBOMs. If vulnerabilities are found in an SBOM, customers may become concerned about the security of the product, even if the manufacturer is already addressing these issues. This gap in communication can cause unnecessary alarm. Melissa advocates for developing clear, industry-wide guidelines for communicating the status of vulnerabilities in SBOMs so that customers can understand which vulnerabilities are actively being managed.
Tackling Supply Chain Security
Melissa also addresses the challenge of integrating third-party components into medical devices, especially from suppliers who may not prioritize cybersecurity or even understand what an SBOM is. She explains that Medtronic, like other medical device manufacturers, needs to thoroughly vet software components brought in from external suppliers. This includes assessing the quality, integrity, and risk associated with these components.
A key part of this vetting process is making trade-offs. Melissa’s background in systems engineering has taught her that product development is often about making decisions based on trade-offs between functionality and risk. She notes that software components from smaller or less sophisticated suppliers may carry greater cybersecurity risks, and companies must decide whether those risks are worth taking. In some cases, legacy products may be more difficult to secure because they were developed without the robust cybersecurity considerations that are now standard in product development. In extreme cases, products may even need to be obsoleted if the risks they pose can no longer be managed effectively.
Builders and Breakers: Diversity in Security Teams
A significant portion of the conversation centers on the importance of diversity in cybersecurity teams. Melissa introduces the concept of “builders and breakers,” two complementary mindsets that she believes are essential for any successful security team. Builders are individuals who focus on designing and developing products, while breakers are those who think like attackers and look for vulnerabilities in the system. Melissa believes that having both perspectives on a team leads to a more robust and secure product.
Moreover, Melissa emphasizes the value of having diverse perspectives on teams, including women and individuals from different ethnic and cultural backgrounds. She points out that homogenous teams tend to produce “flat” products that may not meet the needs of a global audience. Including diverse voices in the design and development process ensures that products are more innovative and capable of addressing the needs of a broader range of users.
Melissa also highlights the importance of retaining women in cybersecurity and technical roles. Drawing from her experience at Medtronic, she notes that the company has made great strides in promoting diversity, with women making up a significant portion of its technical workforce. She encourages women to recognize the value of their unique perspectives and to assert their voices in technical discussions, as diversity ultimately leads to better products and stronger security.
Conclusion: A Commitment to Patient Safety and Industry Collaboration
Throughout the conversation, one theme remains central to Melissa’s work: the safety and security of patients. For her, the ultimate goal of advancing SBOMs and improving product security is to ensure that patients can trust the devices they rely on. This mission extends beyond Medtronic, as Melissa is actively involved in industry-wide efforts to standardize SBOM practices and collaborate with other companies to improve cybersecurity across the medical device sector.
Melissa’s passion for tackling challenges before they are fully mapped out and her commitment to driving progress in product security make her a true pioneer in the field. As she continues her work at Medtronic and within the broader industry, Melissa’s insights and leadership will undoubtedly help shape the future of medical device security and ensure that patients remain safe and secure in an increasingly complex digital world.