Skip to main content
    All Episodes
    Episode 046 · November 11, 2025 · 38m listen

    Designing Secure Medical Device Software with Randy Horton | Ep. 45

    Randy Horton
    Software Quality Leader
    Orthogonal

    Episode Summary

    This episode of The Med Device Cyber Podcast features Randy Horton of Orthogonal, a company specializing in software as a medical device (SaMD) development. The discussion emphasizes the critical need for integrating cybersecurity into the entire software development lifecycle—a "dev-sec-ops" approach—rather than treating it as a post-development add-on. Horton, along with hosts Christian and Trevor, advocates for viewing cybersecurity as an inherent aspect of quality software, arguing that well-built modern software fundamentally enhances medical device safety and effectiveness. The conversation highlights the stark contrast between the traditional, physically constrained engineering mindset of medical device development and the flexible, malleable nature of software. They address the challenges of shifting from a "move fast and break things" Silicon Valley mentality to the "move faster and break nothing" imperative of SaMD, where human lives are at stake. The episode also delves into the difficulties associated with implementing update mechanisms in medical devices, despite FDA guidance recommending this capability for in-field security patches. They underscore the importance of ongoing monitoring and patching, not just for regulatory compliance but as a competitive advantage for "born digital" medtech companies. The discussion touches on significant incidents, such as the UK NHS ransomware attack that resulted in fatalities, and the Illuminia case, which underscore the severe consequences of neglecting cybersecurity. The episode concludes by stressing that while progress is being made, the challenge is continuous, requiring increased awareness and a proactive, risk-based approach to secure software development.

    Key Takeaways

    • 01Cybersecurity must be integrated into the software development lifecycle from the outset, adopting a "dev-sec-ops" approach rather than being an afterthought.
    • 02Quality software inherently includes cybersecurity; a medical device that can be hacked and harm a patient is not a quality product.
    • 03The traditional medical device engineering mindset, focused on physical constraints, struggles to adapt to the digital malleability of software, leading to cybersecurity challenges.
    • 04Implementing robust update mechanisms in medical devices, as recommended by the FDA, is crucial for deploying security patches and receiving ongoing improvements, despite resistance from some manufacturers.
    • 05Real-world incidents, such as ransomware attacks and legal actions against companies for cybersecurity failures, demonstrate the severe human and financial consequences of neglecting medical device cybersecurity.
    • 06While regulatory compliance is a baseline, market competitiveness from "born digital" medtech companies will increasingly drive the adoption of secure and continuously updated software.
    • 07Cybersecurity in medical devices is not merely a regulatory burden but a fundamental component of product quality that is essential for patient safety and organizational integrity.
    • 08Embracing uncertainty and managing risk around the inherent digital flexibility of modern medical devices is crucial, rather than clinging to the outdated notion of fully locking down devices post-release.

    Frequently Asked Questions

    Quick answers drawn from this episode.

    • This episode of The Med Device Cyber Podcast features Randy Horton of Orthogonal, a company specializing in software as a medical device (SaMD) development.

    • Cybersecurity must be integrated into the software development lifecycle from the outset, adopting a "dev-sec-ops" approach rather than being an afterthought. Quality software inherently includes cybersecurity; a medical device that can be hacked and harm a patient is not a quality product. The traditional medical device engineering mindset, focused on...

    • This episode covers FDA Premarket Cybersecurity. It's part of The Med Device Cyber Podcast, hosted by Blue Goat Cyber, focused on practical medical device cybersecurity guidance for MedTech teams.

    • Horton, along with hosts Christian and Trevor, advocates for viewing cybersecurity as an inherent aspect of quality software, arguing that well-built modern software fundamentally enhances medical device safety and effectiveness. It's most useful for medical device manufacturers, cybersecurity engineers, regulatory affairs...

    • Cybersecurity must be integrated into the software development lifecycle from the outset, adopting a "dev-sec-ops" approach rather than being an afterthought.

    Listeners also asked

    Quick answers pulled from related episodes.

    Share this episode

    Pre-fills with: "Cybersecurity must be integrated into the software development lifecycle from the outset, adopting a "dev-sec-ops" approach rather than being an afterthought."

    Hi, welcome back to another episode of The Med Device Cyber Podcast. Today we are talking about software development with mobile devices, with cloud, and specifically medical device software development. We have a guest here, Randy Horton, with Orthogonal. They do software development specialized in medical devices. It is important to make sure, as Randy was mentioning earlier, that cybersecurity is actually part of your software development. So, we do DevSecOps versus just DevOps.

    Hosted by

    Explore every episode in the topics covered here.

    More from your hosts

    Other episodes diving into Christian and Trevor's areas of focus.

    Episodes covering similar ground - including FDA Premarket.

    Why this matches covers similar themes around baseline, software, legal.

    Why this matches shares the FDA Premarket topic and covers similar themes around companies, entire, cybersecurity.

    Listen to this episode