Skip to main content
    Back to episode
    Episode 29 · July 15, 2025 · 51m listen · 656 words · ~3 min read

    Shared Responsibility in Medical Device Cybersecurity with Greg Garcia | Ep. 28 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 29 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    This episode of The Med Device Cyber Podcast features Greg Garcia from the Health Sector Coordinating Council (HSCC), discussing the critical issue of shared responsibility in medical device cybersecurity. Garcia, with a background spanning the Department of Homeland Security and financial services, highlights the HSCC Cyber Security Working Group's efforts to foster collaboration between medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). A central theme is moving past blame to develop unified strategies for medical device security. Garcia emphasizes the "secure by design" and "secure by default" principles, crucial for total lifecycle product security. He touches upon the challenge of legacy devices, the 2023 FDA guidance changes, and the economic pressures faced by resource-constrained healthcare providers. The discussion also covers the importance of shifting cybersecurity from a cost center to an integral part of patient safety, the limitations of current regulations for all healthcare-connected technologies, and the need for a unified approach to achieve regulatory and patient confidence in a secure medical ecosystem. Key initiatives like the Joint Security Plan (JSP) and managing legacy technology security (MALTS) are presented as vital, free resources developed by the industry for the industry.

    Key takeaways from this episode

    • Cybersecurity is a shared responsibility across all stakeholders in the healthcare ecosystem, from medical device manufacturers to healthcare delivery organizations and IT companies.
    • The
    • secure by design"
    • and
    • secure by default"
    • principles are essential for establishing total lifecycle product security in medical devices.
    • Addressing legacy medical devices that are no longer supported requires collaborative strategies for maintaining security and planning for risk transfer.
    • The industry needs to shift its perception of cybersecurity from a costly burden to an indispensable component of patient safety.
    • Adopting industry-developed resources like the Joint Security Plan (JSP) and managing legacy technology security (MALTS) can significantly enhance cybersecurity posture.
    • Future regulation may need to expand beyond medical devices to encompass all technology systems critical to healthcare delivery, mirroring the rigor applied to critical infrastructure.
    • The Health Sector Coordinating Council (HSCC) offers free, collaboratively developed best practices and encourages participation to strengthen healthcare cybersecurity collectively.

    Full episode transcript

    Hello and welcome back to the Med Device Cyber Podcast. I'm your co-host Trevor Slatterie, our CTO, with our co-host Christian Espinosa, the founder and CEO of Blue Goat. Today we're joined by a very special guest, Greg Garcia from the Health Sector Coordinating Council. We're going to be going over some pretty exciting stuff, talking about rounding up some of the legacy devices that we've seen in the wild that are facing some pretty nasty cybersecurity considerations. We'll discuss what the industry as a whole is doing to try to drive cybersecurity forward and how we're making sure that medical devices are safe, along with the steps that innovators should be taking. My experience with medtech is that, like both of you and virtually everybody, I'm a patient. At a technical level, I'm not an expert in medical technology. As the executive director of the Cybersecurity Working Group of the Health Sector Coordinating Council, what I bring to this is a deep, long background in technology generally, cybersecurity specifically, and the intersection of public policy, business, and technology or business, operations, and technology. I was in a similar role with the financial services sector coordinating council many years ago. I was with a major American bank, and before that, I was with the Department of Homeland Security. I was the nation's first assistant secretary for cybersecurity and communications, appointed by President Bush in 2006. In that role, coordinating our national critical infrastructure cybersecurity policy, I was exposed to all of the nation's critical infrastructure sectors. Healthcare is just one of them; telecommunications is another, financial services, oil and gas, electricity, transportation, chemicals, water—everything the public depends upon is considered critical infrastructure. My role at the Department of Homeland Security was to coordinate the public-private partnerships necessary for us to work together to identify and mitigate systemic threats, systemic cyber threats, to those critical sectors. I bring to the health sector since 2017 a background in information technology, financial services, the executive branch public policy, and in the Congress. I spent some time in Congress; in fact, the first bill I ever wrote and the last bill I ever wrote was the Cybersecurity Research and Development Act of 2002. So, I got to sit on the House floor and watch the bill I had worked on so heavily get passed into law. That was cool. Now, with the health sector, I am less an expert on healthcare and medical devices. I've certainly learned a lot over the past seven years that I've been here. This role is more about making connections between healthcare as a business and as a delivery mechanism with the technology that's used for that, the public policy, and the operations. All of these interdependent, interconnected issues are part of this larger constellation. I rely on the thought leadership of our membership. The cyber working group now consists of about 470 healthcare organizations from across the spectrum: healthcare providers like the hospitals and the clinics; medical device companies; health IT companies like Cerner and Epic and others; the plans and the payers; the pharmaceutical; the labs; the blood organizations. All of them are part of this interconnected ecosystem. They are the owners and operators; they are the ones who are responsible for securing this critical infrastructure and for understanding those interdependencies, those interconnections between all of those subsectors. Together, they recognize that cyber threats are a shared challenge across all of those subsectors and therefore a shared responsibility. So that's what brings us all together. What are your thoughts generally on the legacy problem and what we can do about it, and also, do you think we're headed in the right direction? The whole medical technology issue in healthcare is a fascinating one, and it's more severe but not dissimilar from what I experienced in the financial services sector. In those days, the banks were sort of yelling at the telcos and ISPs: