Skip to main content
    All Episodes
    Episode 002 · October 14, 2025 · 24m listen

    5 Most Common Misconceptions of Medical Device Security | Ep. 41

    Episode Summary

    This episode of The Med Device Cyber Podcast debunks five common misconceptions surrounding medical device cybersecurity, offering critical insights for product security teams, regulatory leads, and engineers. Christian Espinosa and Trevor Slattery explore the misguided focus solely on data protection, emphasizing that patient safety takes precedence over data in the medical device context—a crucial distinction from traditional cybersecurity. They clarify the broad definition of a "cyber device," highlighting that even seemingly isolated devices with USB ports or Bluetooth capabilities fall under this classification according to FDA guidance. The discussion also challenges the notion of treating cybersecurity as a one-time activity, advocating for a "security by design" and total product lifecycle approach to avoid costly delays and rework. Furthermore, the hosts address the misconception that software developers inherently possess adequate cybersecurity expertise, underscoring the distinct skill sets required for building versus breaking software. Finally, the episode differentiates medical device cybersecurity from traditional cybersecurity, emphasizing unique regulatory requirements, specialized testing methodologies, and patient safety-centric risk assessments.

    Key Takeaways

    • 01Patient safety is the paramount concern in medical device cybersecurity, superseding data protection in terms of priority.
    • 02Many devices, even those with limited connectivity like USB ports or Bluetooth, are considered "cyber devices" by the FDA and require robust cybersecurity considerations.
    • 03Integrate cybersecurity throughout the entire product lifecycle, from design to disposal, rather than treating it as a one-off compliance task, to mitigate risks and avoid submission delays.
    • 04Software development and cybersecurity are distinct skill sets; do not assume developers have comprehensive cybersecurity expertise without intentional training or dedicated personnel.
    • 05Medical device cybersecurity demands specialized knowledge, testing, and documentation that differ significantly from traditional cybersecurity practices due to its unique regulatory landscape and patient safety focus.

    Frequently Asked Questions

    Quick answers drawn from this episode.

    • This episode of The Med Device Cyber Podcast debunks five common misconceptions surrounding medical device cybersecurity, offering critical insights for product security teams, regulatory leads, and engineers.

    • Patient safety is the paramount concern in medical device cybersecurity, superseding data protection in terms of priority. Many devices, even those with limited connectivity like USB ports or Bluetooth, are considered "cyber devices" by the FDA and require robust cybersecurity considerations. Integrate cybersecurity throughout the entire product lifecycle,...

    • This episode covers Penetration Testing. It's part of The Med Device Cyber Podcast, hosted by Blue Goat Cyber, focused on practical medical device cybersecurity guidance for MedTech teams.

    • They clarify the broad definition of a "cyber device," highlighting that even seemingly isolated devices with USB ports or Bluetooth capabilities fall under this classification according to FDA guidance. It's most useful for medical device manufacturers, cybersecurity engineers, regulatory affairs professionals, and MedTech founders...

    • Patient safety is the paramount concern in medical device cybersecurity, superseding data protection in terms of priority.

    Listeners also asked

    Quick answers pulled from related episodes.

    • What does Episode 52 cover about "What Is A Medical Cyber Device?"?

      This episode of the Med Device Cyber Podcast unpacks the seemingly simple yet often misunderstood definition of a "cyber device" according to FDA guidance. Hosts Christian Espinosa and Trevor Slatterie clarify that a medical device is considered a cyber device if it contains...

      From Episode 052 · What Is A Medical Cyber Device? | Ep. 42

    • What does Episode 15 cover about "Early Design Decisions that Shape Medical Device Success with Chris Danek, CEO of Bessel"?

      Most medical device programs do not fail because of testing. They fail because of decisions made long before testing ever begins. Architecture choices, software dependencies, and hardware constraints quietly shape whether a product can scale, pass regulatory review, or reach...

      From Episode 015 · Early Design Decisions that Shape Medical Device Success with Chris Danek, CEO of Bessel | Ep. 63

    • What does Episode 35 cover about "How Cybersecurity Shapes Regulatory and Quality Success with Jim Goodmiller"?

      In this episode of The Med Device Cyber Podcast, host Christian Torres and Trevor sat down with Jim Goodmiller from Bio Bridges to discuss the critical intersection of cybersecurity with regulatory and quality success in the medical device industry. Jim Goodmiller, with a...

      From Episode 035 · How Cybersecurity Shapes Regulatory and Quality Success with Jim Goodmiller | Ep. 49

    Share this episode

    Pre-fills with: "Patient safety is the paramount concern in medical device cybersecurity, superseding data protection in terms of priority."

    From the YouTube description

    This episode of The Med Device Cyber Podcast debunks five common misconceptions surrounding medical device cybersecurity, offering critical insights for product security teams, regulatory leads, and engineers. Christian Espinosa and Trevor Slattery explore the misguided focus solely on data protection, emphasizing that patient safety takes precedence over data in the medical device context—a crucial distinction from traditional cybersecurity. They clarify the broad definition of a "cyber device," highlighting that even seemingly isolated devices with USB ports or Bluetooth capabilities fall under this classification according to FDA guidance. The discussion also challenges the notion of treating cybersecurity as a one-time activity, advocating for a "security by design" and total product lifecycle approach to avoid costly delays and rework. Furthermore, the hosts address the misconception that software developers inherently possess adequate cybersecurity expertise, underscoring the distinct skill sets required for building versus breaking software. Finally, the episode differentiates medical device cybersecurity from traditional cybersecurity, emphasizing unique regulatory requirements, specialized testing methodologies, and patient safety-centric risk assessments.
    Hi, welcome back to another episode of The Med Device Cyber Podcast. It's a very interesting conversation today because there are a lot of misconceptions, but we distilled it down to the top five that we hear all the time from prospects, clients, and conversations at events, etc. I'm your host, Christian Espinosa, founder and CEO of Blue Goat Cyber. I'm coming to you from Tempe, Arizona, looking at the lovely Tempe Town Lake. I noticed this is the last year for Iron Man Arizona, so I'm going to miss it. It was one of my fastest races. And I'm here today with Trevor Slattery, our co-host, coming from San Francisco, the foggy city with luckily no fog today. So that's pretty nice. Awesome. So let's dive into number one. It's about the data. This is a misconception. Everyone I talk to, including investors, when they think about cybersecurity, even in medtech, they always talk about protecting the data. Now, what is wrong with that misconception? Well, of course, data is something that's very important, and I think part of where this misconception comes from is that it's usually the first thought people have when they think of cybersecurity. You're protecting information in information security. But with medical devices, we have this added layer. That's a good point. It did used to be called information security. And you know, you still say, "Oh, well, it's IT testing, information technology. It's all about the information." But we have this unique situation with medical devices where a compromise in a product for medical application can hurt someone directly. Think about if someone cranks your infusion pump or an insulin pump up to 11. That could cause you to overdose really, really fast. And that's unique where let's say I hacked into a bank or something. Of course, you could steal information, you could steal money, you could do a lot of really nasty things, but you couldn't hurt someone there. You couldn't kill someone. And with medical device cybersecurity, that is an added layer. We're not saying that the data is not important. It's just from a priority perspective, it's less important than the patient safety. I mean, imagine if you have a defibrillator at the same time they're stealing your protected health information. Which one would you care about more? Probably being shocked to death. I'd probably want to live to be upset about my data getting stolen personally. Exactly. Exactly. They're both important, but they're not equally important. And I think it's especially a unique situation since traditional cybersecurity is so focused around assessing risk to data. It becomes a bit of a new situation with medical devices. And we always talk about with our clients, our prospects, "Here's how we're assessing risk. We're talking about what can you do to an individual? Can you cause discomfort, harm, death?" And doing that, you look at any traditional cybersecurity metric like CVSS scoring or dread assessments or whatever, there's no box you can tick saying, "Can you kill someone with this?" And so, it's something that's super new and requires a little bit of a unique process. And so, I think that's a bit of a shift for existing security teams trying to move into product security, for example. Why are we so behind in the shift though? Because we have autonomous driving cars. We have aircraft that have computers in them. We have all kinds of things where you can kill people. I think that overall there isn't quite as thorough of an understanding of how cybersecurity can be a risk in any of those. I think that medical devices are actually a little bit more mature than some of these other somewhat regulated industries. You know, you mentioned aircraft, automotive, obviously really strict requirements on them. But medical devices, the FDA, medical device regulators seem to be a little bit more aware of the fact, "Wow, this can really lead to pretty significant harm." But you could make the same argument. You're in Phoenix, I'm in San Francisco. What if someone hacks into one of the Whimos out front? Someone tries to drive a Whimo through a stoplight or into a building. If someone can compromise it, which Whimos do support remote connectivity, someone can take it over in situations where, like if you try to go down to watch a baseball game here, generally someone takes over the Whimo and drives it instead of the AI. So what if someone bad uses that functionality? And I don't think that other industries are quite as aware of the risks and quite as mature with the risk. I take Whimos all the time, and I feel safer in Whimos than Ubers. And ironically, somebody's complaining to me like, "I would never take a Whimo. That's so crazy. You're such a reckless person." So the next day, this is when Whimo didn't go to the airport, I took an Uber and an 85-year-old woman showed up. She told us she was 85. Before my wife got all the way in the car, the door wasn't closed. She started taking off, and then she got lost. I had to direct her the way to the airport. So, I'm thinking, yeah, I've never had this happen with Whimo. I one time in Boston had an Uber driver get on the exit ramp on the highway with all the signs saying

    Hosted by

    Explore every episode in the topics covered here.

    More from your hosts

    Other episodes diving into Christian and Trevor's areas of focus.

    Episodes covering similar ground - including Pen Testing.

    Why this matches shares the Pen Testing topic and covers similar themes around ports, bluetooth, classification.

    Why this matches shares the Pen Testing topic and covers similar themes around delays, unique, device.

    Why this matches covers similar themes around treating, misconception, distinct.

    Listen to this episode