Episode 42 · October 14, 2025 · 24m listen · 907 words · ~5 min read
5 Most Common Misconceptions of Medical Device Security | Ep. 41 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 42 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
This episode of The Med Device Cyber Podcast debunks five common misconceptions surrounding medical device cybersecurity, offering critical insights for product security teams, regulatory leads, and engineers. Christian Espinosa and Trevor Slattery explore the misguided focus solely on data protection, emphasizing that patient safety takes precedence over data in the medical device context—a crucial distinction from traditional cybersecurity. They clarify the broad definition of a "cyber device," highlighting that even seemingly isolated devices with USB ports or Bluetooth capabilities fall under this classification according to FDA guidance. The discussion also challenges the notion of treating cybersecurity as a one-time activity, advocating for a "security by design" and total product lifecycle approach to avoid costly delays and rework. Furthermore, the hosts address the misconception that software developers inherently possess adequate cybersecurity expertise, underscoring the distinct skill sets required for building versus breaking software. Finally, the episode differentiates medical device cybersecurity from traditional cybersecurity, emphasizing unique regulatory requirements, specialized testing methodologies, and patient safety-centric risk assessments.
Key takeaways from this episode
Patient safety is the paramount concern in medical device cybersecurity, superseding data protection in terms of priority.
Many devices, even those with limited connectivity like USB ports or Bluetooth, are considered "cyber devices" by the FDA and require robust cybersecurity considerations.
Integrate cybersecurity throughout the entire product lifecycle, from design to disposal, rather than treating it as a one-off compliance task, to mitigate risks and avoid submission delays.
Software development and cybersecurity are distinct skill sets; do not assume developers have comprehensive cybersecurity expertise without intentional training or dedicated personnel.
Medical device cybersecurity demands specialized knowledge, testing, and documentation that differ significantly from traditional cybersecurity practices due to its unique regulatory landscape and patient safety focus.
Hi, welcome back to another episode of The Med Device Cyber Podcast. It's a very interesting conversation today because there are a lot of misconceptions, but we distilled it down to the top five that we hear all the time from prospects, clients, and conversations at events, etc. I'm your host, Christian Espinosa, founder and CEO of Blue Goat Cyber. I'm coming to you from Tempe, Arizona, looking at the lovely Tempe Town Lake. I noticed this is the last year for Iron Man Arizona, so I'm going to miss it. It was one of my fastest races. And I'm here today with Trevor Slattery, our co-host, coming from San Francisco, the foggy city with luckily no fog today. So that's pretty nice.
Awesome. So let's dive into number one. It's about the data. This is a misconception. Everyone I talk to, including investors, when they think about cybersecurity, even in medtech, they always talk about protecting the data. Now, what is wrong with that misconception? Well, of course, data is something that's very important, and I think part of where this misconception comes from is that it's usually the first thought people have when they think of cybersecurity. You're protecting information in information security. But with medical devices, we have this added layer.
That's a good point. It did used to be called information security. And you know, you still say, "Oh, well, it's IT testing, information technology. It's all about the information." But we have this unique situation with medical devices where a compromise in a product for medical application can hurt someone directly. Think about if someone cranks your infusion pump or an insulin pump up to 11. That could cause you to overdose really, really fast.
And that's unique where let's say I hacked into a bank or something. Of course, you could steal information, you could steal money, you could do a lot of really nasty things, but you couldn't hurt someone there. You couldn't kill someone. And with medical device cybersecurity, that is an added layer. We're not saying that the data is not important. It's just from a priority perspective, it's less important than the patient safety. I mean, imagine if you have a defibrillator at the same time they're stealing your protected health information. Which one would you care about more? Probably being shocked to death.
I'd probably want to live to be upset about my data getting stolen personally. Exactly. Exactly. They're both important, but they're not equally important. And I think it's especially a unique situation since traditional cybersecurity is so focused around assessing risk to data. It becomes a bit of a new situation with medical devices. And we always talk about with our clients, our prospects, "Here's how we're assessing risk. We're talking about what can you do to an individual? Can you cause discomfort, harm, death?"
And doing that, you look at any traditional cybersecurity metric like CVSS scoring or dread assessments or whatever, there's no box you can tick saying, "Can you kill someone with this?" And so, it's something that's super new and requires a little bit of a unique process. And so, I think that's a bit of a shift for existing security teams trying to move into product security, for example.
Why are we so behind in the shift though? Because we have autonomous driving cars. We have aircraft that have computers in them. We have all kinds of things where you can kill people. I think that overall there isn't quite as thorough of an understanding of how cybersecurity can be a risk in any of those. I think that medical devices are actually a little bit more mature than some of these other somewhat regulated industries. You know, you mentioned aircraft, automotive, obviously really strict requirements on them.
But medical devices, the FDA, medical device regulators seem to be a little bit more aware of the fact, "Wow, this can really lead to pretty significant harm." But you could make the same argument. You're in Phoenix, I'm in San Francisco. What if someone hacks into one of the Whimos out front? Someone tries to drive a Whimo through a stoplight or into a building. If someone can compromise it, which Whimos do support remote connectivity, someone can take it over in situations where, like if you try to go down to watch a baseball game here, generally someone takes over the Whimo and drives it instead of the AI. So what if someone bad uses that functionality? And I don't think that other industries are quite as aware of the risks and quite as mature with the risk.
I take Whimos all the time, and I feel safer in Whimos than Ubers. And ironically, somebody's complaining to me like, "I would never take a Whimo. That's so crazy. You're such a reckless person." So the next day, this is when Whimo didn't go to the airport, I took an Uber and an 85-year-old woman showed up. She told us she was 85. Before my wife got all the way in the car, the door wasn't closed. She started taking off, and then she got lost. I had to direct her the way to the airport. So, I'm thinking, yeah, I've never had this happen with Whimo.