Skip to main content
    New episodes weekly

    The Med Device
    Cyber Podcast

    Frontline conversations on medical device cybersecurity, FDA premarket guidance, SBOMs, penetration testing, and the hard-won lessons that keep patients safe.

    Hosted by Blue Goat CyberFDA · IEC 62304 · ISO 14971
    The Catalogue

    Every episode, in one place.

    72 episodes & counting
    72 / 72 episodes
    Episode 71 thumbnail, The Dangerous Gap in Global MedTech Security Awareness with Shahbaz Ahmed | Ep. 72
    EP 071

    The Dangerous Gap in Global MedTech Security Awareness with Shahbaz Ahmed | Ep. 72

    In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa (CEO of Blue Goat Cyber) and Trevor Slattery (COO) are joined by Shahbaz Ahmed, an expert calling in from Pakistan and the founder of Leadership Studio. The conversation explores the nuanced differences between Eastern and Western leadership styles, the critical role of emotional intelligence in cross-cultural management, and the pressing need for cybersecurity awareness, particularly within the healthcare sector. Shahbaz introduces his professional background and the mission of his Leadership Studio, which aims to bridge the cultural an d philosophical divides between East and West to foster more effective global leadership. The central argument of the discussion, presented by Shahbaz, is that Eastern cultures are predominantly driven by emotion, estimating that 90% of people in these regions make decisions based on feelings, while Western cultures tend to be more logic-driven. He contends that this fundamental difference is often overlooked by multinational corporations, leading to management challenges. According to Shahbaz, a successful leader in an Eastern context must learn to manage and connect with people on an emotional level, acknowledging the deep-seated importance of family and personal relationships. His Leadership Studio was created to serve as this cultural bridge, combining the "credibility of the West" with an understanding of the "emotions of the East." He categorizes leadership into two types: technical leadership, which is skill-based and specific, and overall leadership, which encompasses a broader vision and the ability to inspire and connect with diverse teams. The dialogue then transitions to the state of cybersecurity awareness. All participants agree that there is a significant global awareness gap, but Shahbaz highlights that in regions like Pakistan, the public is "totally unaware" of the risks associated with medical device cybersecurity. He passionately advocates for a grassroots approach to education, suggesting that initiatives should target medical colleges, nursing centers, and universities to instill a foundational understanding of these threats. The hosts concur, reflecting on their own challenges in simplifying complex cybersecurity concepts. Christian Espinosa notes that industry professionals often speak in a highly technical language that alienates their intended audience, underscoring the need to make the message accessible and relatable to foster real change.
    Episode 70 thumbnail, Why MedTech Needs Specialists with Zoltan Kevei and Saby Toth of Bishop & Co | 70
    EP 070

    Why MedTech Needs Specialists with Zoltan Kevei and Saby Toth of Bishop & Co | 70

    In this episode of the Med Device Cyber Podcast, host Christian Espinosa is joined by Zoltan Kevei, Founder and CEO, and Szabolcs Tóth, a Regulatory and Quality Expert, from Bishop & Co., a Hungarian software and regulatory consultancy specializing in the MedTech industry. The discussion revolves around the complex and evolving landscape of bringing medical software and devices to market, comparing the regulatory environments of the European Union and the United States, and exploring the role of emerging technologies like Artificial Intelligence (AI) in software development. The guests begin by addressing a major strategic shift in the MedTech industry. Historically, the EU was considered the easier and faster entry point for new medical devices. However, with the implementation of the new, more stringent EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR), this has changed dramatically. Tóth explains that these new regulations have created a significant bottleneck, drastically reducing the number of Notified Bodies available for certification and extending approval timelines to anywhere from 9-13 months, sometimes even up to two years. This has led many innovators to pivot their strategy, targeting the more stable and predictable US FDA approval process first, despite the US being a larger and historically more challenging market. They emphasize that navigating this landscape requires deep, specialized expertise, framing the process with the adage, “it takes a village” to successfully bring a product to market. A significant portion of the conversation focuses on the integration and impact of AI in software engineering. Both guests offer cautionary perspectives, arguing that while AI is a powerful tool, it is not a substitute for human expertise. Tóth uses the compelling analogy of a power drill: it is an excellent tool that makes a carpenter more efficient, but it does not make a novice into a carpenter. Similarly, AI can augment the work of experienced engineers but can lead to significant problems if relied upon without expert oversight. Kevei warns that teams relying too heavily on AI can be led "into the deep forest," producing inefficient or flawed code that costs a great deal of time and money to fix. This underscores the critical importance of keeping a seasoned human expert in the loop to guide development and validate AI-generated work. They also touch on the trend of companies using "AI" as a buzzword to attract investors, which can unnecessarily complicate regulatory pathways and add scrutiny to projects where a simpler, deterministic algorithm would have sufficed. The consensus is that innovators must be diligent and strategic, engaging specialized partners early to manage risk, ensure quality, and navigate the complex journey from concept to market.
    Episode 69 thumbnail, Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital | Ep. 69
    EP 069

    Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital | Ep. 69

    In this episode of the MedDevice Cyber podcast, host Christian Espinosa welcomes Varun Turlapati, Managing Director of Chaanakya Capital, an early-stage venture capital firm specializing in Neurotech and MedTech. Varun, whose background is in software engineering, explains that his firm focuses on pre-seed to Series A investments in companies developing genuine, science-backed medical technology. He draws a sharp distinction between legitimate, medically grounded devices and what he terms "sham devices"—products that might gain traction and quick financial returns but lack scientific validity. Chaanakya Capital's investment philosophy is rooted in finding companies that solve real-world clinical problems, with a strong emphasis on the underlying science and a viable economic model that considers regulatory and reimbursement pathways. A significant portion of the discussion revolves around the critical importance of cybersecurity in the medical device sector. Both Varun and Christian stress that cybersecurity cannot be an afterthought. Christian argues that a modest upfront investment in expert cybersecurity consulting can save startups hundreds of thousands of dollars in rework and prevent major headaches down the line. He points out that poor early-stage decisions, such as choosing hardware that doesn't support necessary security requirements, can force companies to roll back features and incur significant costs. Varun builds on this by highlighting the dramatically higher stakes in MedTech compared to other industries like B2B SaaS. While a hack in a software company might result in data loss, a compromised medical device could lead to a loss of life, making robust security non-negotiable. Varun also shares his passion for the neurotech field, stating that humanity's understanding of the brain is still in its infancy compared to our knowledge of deep space or ocean mining. He is motivated by the potential to advance treatments for complex neurological conditions such as Alzheimer's, Parkinson's, and the effects of stroke, offering alternatives to pharmaceuticals. He discusses his firm's approach to due diligence, which now includes a strong focus on a company's cybersecurity plan. Varun's vision is to not only generate returns but also to create a meaningful impact by supporting innovations that advance the human condition, starting with a deeper understanding and treatment of the brain.
    Episode 42 thumbnail, De-Risking Product Decisions in MedTech Startups with Brent Lavin of Ironwood MedTech Partners | 67
    EP 042

    De-Risking Product Decisions in MedTech Startups with Brent Lavin of Ironwood MedTech Partners | 67

    In this episode of the Med Device Cyber podcast, hosts Trevor Slattery and Christian Espinosa are joined by Brent Lavin, the Chief Product Catalyst at Ironwood Medtech Partners. Brent brings a wealth of experience from his extensive career in the medical technology sector, which began with an engineering degree and evolved into a passion for product management. He details his journey from working in product development with a CDMO, to key roles at GE Healthcare in the imaging space, and later with C.R. Bard (now BD) in breast biopsy and peripheral vascular devices. This background has given him a unique perspective on the intersection of innovation, strategy, and marketing in the highly regulated MedTech field. Recently, Brent founded Ironwood Medtech Partners to assist early-stage (Series A and B) companies in de-risking their product decisions, aligning their go-to-market strategy, and ultimately achieving successful commercialization or a strategic exit. The core of the conversation centers on the critical principles of successful product development and market entry in the MedTech industry. Brent argues compellingly against the common pitfall of creating overly complex, feature-rich products that try to be everything to everyone. He uses a personal anecdote about a lab equipment project that became bloated with optionality, leading to development struggles. The key, he asserts, is to make deliberate, strategic tradeoffs to design a product that is simplified and sufficient for a specific, well-defined customer segment. This approach not only streamlines the development and regulatory process but also creates what Brent calls a 'sticky' product—a device that is so seamlessly integrated into a clinical workflow that it becomes indispensable and difficult to replace. This philosophy is crucial for achieving long-term customer retention and market share. Furthermore, Brent challenges the conventional wisdom of the 'first-mover advantage,' suggesting that in MedTech, being the second mover is often more strategic. He explains that second movers can learn from the costly mistakes made by pioneers in areas like clinical trial design, regulatory navigation, and product positioning. By observing the market's reaction to the initial product, a follow-on company can refine its offering and strategy to better meet customer needs and avoid known hurdles. The discussion also touches upon the evolving business landscape, including the growing influence of the 'economic buyer' in hospitals and the importance of building a realistic, bottom-up revenue model rather than relying on abstract top-down market-size estimates. Brent's insights paint a picture of the MedTech industry as a complex but rewarding field—'life on hard mode'—where success hinges on a deep understanding of the customer ecosystem, strategic alignment, and the discipline to build the right product for the right market.
    Episode 65 thumbnail, Vibe Coding Security Risks and Malicious Code Injection with Jake Rodriguez of Triangle Tech | Ep.66
    EP 065

    Vibe Coding Security Risks and Malicious Code Injection with Jake Rodriguez of Triangle Tech | Ep.66

    In this episode of the Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by special guest Jake Rodriguez, CEO and Founder of Triangle Tech. Jake shares his unconventional journey from a pre-pharmacy track at Virginia Commonwealth University to becoming a B2B marketing entrepreneur specializing in the pharma, life science, and tech sectors. His pivot was sparked during the COVID-19 pandemic while researching the differences between traditional and mRNA vaccines. Frustrated by the lack of accessible information on traditional methods, he delved into Google SEO, which ignited a passion for digital marketing and led to the creation of his own agency. The core of the conversation revolves around the intersection of artificial intelligence, marketing, and cybersecurity. The group discusses the significant shift in user behavior, with younger generations increasingly turning to Large Language Models (LLMs) like Gemini, Claude, and ChatGPT for information, moving away from traditional Google searches. This transition presents new challenges and opportunities for SEO, as companies must now optimize their content not just for search engines but for AI-driven platforms. Jake explains that these LLMs often pull information from high-traffic, user-generated content sites like Reddit and Quora, making a multi-channel, omnichannel brand presence more critical than ever. The discussion also introduces the emerging concept of "vibe coding," a more fluid and creative approach to software development where developers use AI to rapidly generate applications based on an idea or a "vibe" rather than a rigid set of specifications, a method starkly contrasted with the highly structured and regulated process required for medical device software. The podcast also delves into the security implications of this technological wave. A major concern raised is the potential for malicious actors to exploit AI. Through creative prompt engineering, hackers can trick AI models into bypassing their built-in safety guardrails to generate malicious code or reveal sensitive information. The hosts draw parallels between this and traditional social engineering, but now targeted at AI instead of people. The conversation touches upon everyday cybersecurity risks, such as users unknowingly granting invasive permissions to mobile applications, allowing them to access microphones and cameras. This highlights a broader theme of a lack of consumer awareness regarding digital privacy. The participants agree that while AI is a powerful tool for ideation and refining content, its unreliability, potential for hallucinations, and security vulnerabilities make it unsuitable for critical, end-to-end development in regulated industries like medical technology, where safety and verifiability are paramount.
    Episode 59 thumbnail, Who Owns Patient Data Security in Trials with Rob Bedford, CEO of Franklyn Health | Ep.65
    EP 059

    Who Owns Patient Data Security in Trials with Rob Bedford, CEO of Franklyn Health | Ep.65

    This episode of the MedDevice Cyber podcast, hosted by Christian Espinosa and Trevor Slattery of Blue Goat Cyber, features a detailed discussion with Rob Bedford, the co-founder and CEO of Franklyn Health, a Contract Research Organization (CRO) specializing in serving the medical technology (MedTech) sector. Rob Bedford shares his journey from being a neuroscientist and working within the NHS to identifying a critical gap in the clinical research market. He explains that his company was founded to address the specific needs of small and medium-sized MedTech companies, which he observed were often deprioritized by larger CROs in favor of more lucrative pharmaceutical clients. This lack of focus often left MedTech innovators feeling unheard and struggling with limited budgets and tight timelines. The core of the conversation revolves around the numerous challenges MedTech startups face on their path to commercialization and how a specialized CRO can assist. Rob highlights that for these smaller companies, efficiency in both cost and speed is paramount due to pressures from investors and limited financial runways. The podcast delves into the complexities of the clinical trial process, clarifying the distinction between pre-clinical (animal) studies and the different phases of clinical (human) studies, such as first-in-human feasibility trials and larger pivotal studies. A significant challenge discussed is patient enrollment, which is often the biggest hurdle in clinical research, requiring a delicate balance of finding patients who are both eligible based on strict criteria and willing to participate in trials for often untested technologies. The discussion also touches on the global nature of regulatory approvals, emphasizing that agencies like the FDA often require clinical data from a representative US patient population, meaning studies conducted solely in other regions may need to be supplemented or repeated. A recurring theme throughout the episode is the critical importance of early and holistic planning. The hosts and guest stress that key aspects like regulatory strategy, clinical trial design, and especially cybersecurity, cannot be afterthoughts. They advocate for a "security by design" approach, where cybersecurity is integrated from the very beginning of the product development lifecycle. The speakers warn that retrofitting security measures late in the process is not only more expensive and time-consuming but can also risk invalidating previous software validation and clinical data, potentially derailing the entire regulatory submission. The conversation also clarifies the distinction between responsibility and accountability, noting that while a manufacturer can delegate the responsibility for tasks like software development or clinical trials to a CRO, the ultimate accountability for the product's safety, efficacy, and security remains with the manufacturer.
    Episode 28 thumbnail, Start QMS Early to Avoid Reverse Documentation with Dr. Basant Bajpai | Ep.64
    EP 028

    Start QMS Early to Avoid Reverse Documentation with Dr. Basant Bajpai | Ep.64

    In this episode of the Med Device Cyber Podcast, host Trevor Slattery is joined by special guest Dr. Basant Bajpai, the CEO of Compliance MedQRA, a regulatory consulting firm based in Dubai that also offers an automated Quality Management System (QMS). Dr. Bajpai, who holds a PhD in neuromonitoring and neurosciences, discusses the critical importance of a properly implemented QMS for MedTech companies, particularly for startups and those in the early stages of development. He identifies a major pitfall in the industry: companies often either delay implementing a QMS or opt for overly complex, expensive systems when a simple, scalable, and traceable solution would be more effective. This mistake frequently leads to audit failures, as companies are unable to retroactively prove the traceability of their development and design processes. The core argument presented by Dr. Bajpai is the necessity of integrating a QMS from the very beginning of the product lifecycle, starting at the concept and R&D stages. He explains that while manual systems like shared drives might seem sufficient initially, they quickly become unmanageable and unscalable, resulting in significant time and financial costs to reverse-document everything for regulatory submissions. By establishing a solid, traceable foundation early on, companies can scale their operations smoothly. The conversation also explores the role of Artificial Intelligence (AI) in this space. Both speakers agree that AI is a powerful tool for assisting and improving efficiency, such as drafting documentation and flagging compliance gaps. However, they strongly caution against letting AI take full ownership. The principle of a "human in the loop" is stressed as essential for validating AI-generated content, ensuring accuracy, and maintaining ultimate responsibility, especially for critical functions like traceability, which Dr. Bajpai advises should remain a manual process to avoid potential disasters. The discussion highlights that a well-structured QMS is not just a regulatory hurdle but a fundamental business system for survival and success in the highly regulated MedTech industry. The importance of integrating cybersecurity considerations early, in parallel with the QMS, is also underscored as a key factor in preventing regulatory pushback and ensuring a smoother path to market.
    Showing 9 of 72

    Produced by Blue Goat Cyber — medical device cybersecurity consulting.

    About the Show

    Where MedTech meets the
    adversary mindset.

    Brought to you by Blue Goat Cyber, The Med Device Cyber Podcast unpacks the regulations, attacks, and engineering decisions shaping the future of connected medical devices.

    From premarket submissions to postmarket vulnerability response, built for product security teams, regulatory leads, and the engineers in the trenches.

    Browse Episodes by Topic

    Jump straight to what matters for your role.

    Meet the Host

    Practitioner, not pundit.

    Every episode is hosted by an operator who does this work daily, leading FDA submissions, threat modeling sessions, and pen tests for real medical device manufacturers.

    Headshot of Christian Espinosa, Founder & CEO, Blue Goat Cyber

    Christian Espinosa

    Founder & CEO, Blue Goat Cyber
    LinkedIn

    U.S. Air Force veteran with decades of cybersecurity experience across defense, critical infrastructure, and MedTech. Founded Blue Goat Cyber in 2022 to help manufacturers build security in from the start and move through FDA review with confidence.

    FDA Premarket CybersecurityThreat ModelingRisk Management
    View profile
    Be a Guest

    Have a story worth sharing?

    We're always looking for medical device cybersecurity practitioners, regulatory leaders, and security researchers with a sharp point of view. Pitch us below.

    Be specific - e.g. "Threat modeling a Class II infusion pump for FDA premarket"

    0/2000 characters

    Frequently Asked

    MedTech cybersecurity, answered.

    Quick answers to the questions we hear most from product security, regulatory, and engineering teams.

    Listen Anywhere

    Pick your platform.

    New episodes drop weekly. Subscribe to never miss the next deep dive.