In this episode of Inside MedTech Innovation, I had the pleasure of interviewing JC Herz, an incredible mind in the world of cybersecurity and open-source software. With a unique career journey that took her from teenage rock critic to cybersecurity pioneer, JC has become a transformative force in protecting critical software and firmware systems. Her story, and the insights she shares, offer valuable guidance for anyone interested in how cybersecurity intersects with healthcare technology.
A Rock Critic’s Path to Cybersecurity
JC’s story begins in a somewhat unexpected place. As a teenager, she navigated the world of music journalism, using her resourcefulness to get press passes to concerts she otherwise wouldn’t have been able to attend. It was here that her knack for curiosity and uncovering stories first developed. This early dive into complex systems of social engineering and storytelling would later prove invaluable when she shifted from music journalism to cybersecurity.
Her career soon took a serious pivot as she joined the Department of Defense, where she worked on some of the earliest issues around open-source software. JC saw firsthand the unique vulnerabilities inherent in open-source projects, especially in high-stakes environments like national defense. Her work led to the establishment of policies around open-source that aimed to protect critical systems—experience that ultimately served as a foundation for her next venture: co-founding Ion Channel.
Co-Founding Ion Channel: The Birth of a Cybersecurity Solution
After her experience in the defense sector, JC co-founded Ion Channel, a company that addresses a crucial need in today’s digital age: protecting the software supply chain. Ion Channel focuses on managing open-source risks, identifying vulnerabilities, and securing critical infrastructures against cyber threats. Today, JC’s work at Ion Channel (now Exiger) tackles a pervasive and growing issue in the MedTech industry: third-party risks and supply chain vulnerabilities.
The company’s goal is to provide healthcare and technology organizations with a comprehensive view of their software dependencies, allowing them to identify security risks and address vulnerabilities before they become major threats. According to JC, this proactive approach is essential for MedTech companies that often rely on a web of third-party suppliers and open-source components to operate their devices. By monitoring these components continuously, Ion Channel/Exiger enables healthcare manufacturers to stay ahead of potential security risks.
Tackling Open-Source Risks in MedTech
As JC shared in our conversation, one of the most pressing issues in MedTech cybersecurity is managing open-source software in medical devices. Open-source offers incredible benefits—it’s cost-effective, accessible, and often highly adaptable. However, because open-source software is a shared resource, it also comes with inherent risks. “Open source is like Soylent Green,” JC said during our interview. “It’s made of people.” In other words, open-source software relies heavily on the community that builds and maintains it, which can be a double-edged sword.
Sometimes, a single developer is responsible for maintaining critical software used across industries, including healthcare. JC shared the example of Zlib, a commonly used compression library maintained by one individual. This single maintainer becomes a “human point of failure,” creating a hidden risk for companies relying on the software. For MedTech, which deals with life-saving devices, the potential impact of this kind of vulnerability is profound. As JC puts it, “if the person maintaining critical open-source software decides to leave or encounters a setback, entire systems could be left vulnerable.”
Moving from Reactive to Proactive Cybersecurity
JC’s approach with Ion Channel is rooted in a proactive cybersecurity philosophy. Rather than reacting to vulnerabilities as they arise, she advocates for constant monitoring and identifying “leading indicators” of potential issues. In her words, “remediation isn’t just about fixing surface problems; it’s about getting ahead of vulnerabilities before they have the chance to impact your product.”
For MedTech companies, this approach means assessing each component in a device’s software supply chain, evaluating risks, and ensuring that the supply chain is resilient. This is a shift from traditional IT models, which often focus on responding to “lagging indicators” like known vulnerabilities (CVEs) after they’ve already appeared. In MedTech, waiting until issues arise could mean significant risks to patient safety, which is why proactive risk management is not just beneficial—it’s essential.
Open Source and the Future of Healthcare Security
As we dove deeper, JC highlighted how open-source software and supply chain management are likely to shape the future of MedTech. Regulations are changing, with increasing demands for transparency in supply chains, especially as they relate to cybersecurity. One example is the Software Bill of Materials (SBoM), which requires companies to disclose all components in their software. This push toward transparency helps healthcare providers understand their devices’ internal architecture and gives them a clearer picture of the cybersecurity landscape.
However, transparency is only one part of the solution. According to JC, companies must also adopt rigorous monitoring and maintenance processes. For example, medical device manufacturers need to be aware of the software components they use and the individuals and organizations maintaining them. This kind of insight can be crucial for identifying hidden risks, as JC illustrated through a real-world example: her team once discovered that a seemingly benign software component in a medical device had been developed by a single individual with links to cyber activities. “Some risks don’t show up on scans,” JC said. “But understanding who is behind your software components can help prevent a breach before it happens.”
Lessons for MedTech Manufacturers and Cybersecurity Enthusiasts
At the end of our discussion, I asked JC for advice to share with MedTech manufacturers and aspiring cybersecurity experts. Her response emphasized resilience, transparency, and the willingness to tackle complex challenges head-on. She advocates for a balanced approach—one that considers both transparency and security as core values. MedTech companies should set risk tolerance thresholds, continuously assess components, and invest in the necessary resources for managing cybersecurity proactively.
For anyone interested in the field, JC’s career journey is a reminder that the most transformative paths often begin in unexpected places. From her early days as a rock critic to shaping open-source policy at the Department of Defense, JC has continually adapted her skills to make a difference in the complex, high-stakes world of cybersecurity.
As cybersecurity becomes increasingly critical in healthcare, JC’s work with Ion Channel provides a blueprint for safeguarding the future of MedTech. Her experience and insights remind us that protecting healthcare isn’t just about technology; it’s about commitment, resilience, and an unwavering dedication to staying one step ahead.
Tune In
To hear JC’s full story and dive into the complexities of MedTech cybersecurity, listen to the full episode of Inside MedTech Innovation https://open.spotify.com/show/0idCTXcel0SvjHLalRoxIl?si=bed31e6a426d4fc0