Episode 53 · December 30, 2025 · 24m listen · 1,855 words · ~9 min read

Medical Device Cyber Failures Become Fatal | Ep. 52 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 53 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

This episode of The Med Device Cyber Podcast delves into the critical and increasingly urgent issue of medical device cyber failures, exploring instances where vulnerabilities have led to direct patient harm, including fatalities. Hosts Trevor Slatterie and Christian Espinosa discuss pivotal historical events such as the 2017 WannaCry ransomware attack, which served as a catalyst for modern cybersecurity requirements in healthcare. The discussion highlights the severe downstream effects of ransomware on healthcare delivery organizations, ranging from operational shutdowns to an inability to provide critical patient care, citing evidence that directly links cyberattacks to patient deaths, notably in the NHS blood centers incident in the UK. Beyond ransomware, the episode unpacks targeted attacks, referencing the theorized and later proven vulnerabilities in implantable devices like pacemakers and defibrillators, drawing parallels to incidents involving Dick Cheney and Medtronic devices. The hosts also touch upon the dangers of software errors, such as the Therac-25 recall, and the emerging challenges of AI in therapy, where a lack of guardrails can lead to catastrophic safety concerns. The conversation underscores the FDA's heightened scrutiny and the industry's shift towards proactive cybersecurity measures, emphasizing that while compliance can be challenging, it is essential for ensuring patient safety and device quality.

Key takeaways from this episode

The 2017 WannaCry ransomware attack was a significant catalyst for the implementation of modern cybersecurity requirements in medical devices and healthcare delivery organizations.
Cyberattacks, particularly ransomware, can have severe downstream effects on healthcare operations, directly leading to patient harm, an inability to provide critical treatment, and even death.
Targeted attacks on implantable medical devices, such as pacemakers and defibrillators, have been proven possible and pose a serious risk, necessitating robust security measures for device integrity and patient safety.
The integration of AI in medical devices and therapy requires stringent guardrails and validation to prevent harmful outputs and ensure patient safety, as demonstrated by incidents of AI encouraging suicidal ideation.
Regulatory bodies like the FDA are increasingly enforcing cybersecurity due diligence for medical device manufacturers, shifting the industry towards proactive security postures to minimize risks to patients.
Cybersecurity in medical devices, while often perceived as a 'necessary evil,' is fundamentally about ensuring patient safety, preventing risks ranging from widespread ransomware to targeted individual harm, and guaranteeing the quality and effectiveness of healthcare technology.

Full episode transcript

Hello and welcome back to another episode of the Med Device Cyber Podcast. We're your co-hosts, Trevor Slatterie and Christian Espinosa. Today, we're going to talk about some situations and incidents that have come up where medical device hacks, vulnerabilities, and problems have led to direct tangible harm, or in many cases, even death, against individuals. It's definitely a very serious topic. There's a lot that can go wrong within the medical space. We want to make sure that we're learning lessons, of course, from all of these areas and understanding what we can do in collaboration with the regulators to ensure that this isn't happening anymore. First, I'll check in with you. How are you doing, Christian, today? I know you've been on a pretty crazy travel schedule. So, just settling down and back home in Phoenix for what, one day, two days? I just got back from Singapore on Sunday. I was there for eight days. So, I felt like I finally got acclimated to their schedule and now I'm here. I was going to be here for one day, but I changed the flight. So, I'm here for three days. So, not enough time to get acclimated here and then I'm heading to Europe tomorrow, actually. Perfect. Well, yeah, at least get a little bit of respite moving it to three days as opposed to one day. Well, I need a little bit of time to catch up on a few things and, you know, I actually enjoy my condo. So, I feel like I'm paying for this condo, but I'm never here. Well, talking about some of the issues that we've seen come up with medical devices, there's definitely deep history on vulnerabilities and incidents where there's been tangible patient harm. Actually, one of the events that really drove home some of the modern cybersecurity requirements that we see today was a ransomware attack in 2017, the WannaCry ransomware attack. A lot of medical devices were affected, hospital operations screeched to a halt, and that started to underline the importance of cybersecurity within these products. So, there are new breaches, new problems, and new events. I know everyone sees ransomware on the news; it feels like every other day something is getting ransomed. But the regulators are trying to make an effort to stop some of this from happening. So, we can start a little bit about talking about what WannaCry was for anyone unfamiliar and then go into some more of the incidents that we've seen. For background, ransomware is something everyone would be familiar with. It's a non-targeted virus that gets into a computer and spreads into everything. It goes to any connected computers, encrypts all the information so that nothing is accessible. The attackers steal a copy of it; they threaten to release it into the public if someone does not pay a ransom. When they're stealing this information from a hospital, this is going to contain extremely sensitive records. This is going to have a lot of patient information, often payment information as well. So, it's very, very valuable to attackers. That's why hospitals are so commonly ransomed. WannaCry was an especially dangerous version that happened in 2017 and, like I said, that really acted as the catalyst for some of these regulators to start raising the bar with cybersecurity. You have to think about it, if you're a hospital, and I remember I saw an episode of Chicago Med, but they actually had a ransomware attack in there and the hospital didn't know what to do, and patients were basically dying because they couldn't intake a patient when an ambulance would show up. All the systems were down, so one of the doctors actually paid the ransom out of his own pocket because the hospital didn't have a policy for it. I think that episode, I think it's called Chicago Med, was pretty much based on reality from my experience. Yeah, when that happens, when ransomware hits a healthcare delivery organization, there's not that much that can be done anymore. We are in an extremely online world. The overwhelming majority of medical products are now internet connected. Anything relating to payment, record storage, or even note-taking is often going to be entirely online or digitally stored. Obviously, there are tons of advantages for that. I mean, we look at the fact that we're in a podcast recording right now with me being in California and you being in Arizona. Awesome advantages to this technology, but when it goes down, everything goes down. Even recently, there was this ransomware attack against United Healthcare. I believe it was United, there was an insurance provider that had a ransomware incident and people were not able to get reimbursed and people were not able to pay for their services even at unaffected hospitals. So, the downstream effect of ransomware can be extremely severe, and yeah, not too unrealistic there.

1 / 3