Skip to main content
    Back to episode
    Episode 2 · October 14, 2025 · 24m listen · 4,070 words · ~20 min read

    5 Most Common Misconceptions of Medical Device Security | Ep. 41 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 2 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa, founder and CEO of Blue Goat Cyber, and co-host Trevor Slattery tackle the most common and critical misconceptions surrounding medical device cybersecurity. Broadcasting from Tempe, Arizona, and San Francisco respectively, the duo distills their extensive experience dealing with clients and prospects into a discussion of the top five misunderstandings that can lead to significant vulnerabilities and regulatory hurdles. The episode is framed as an essential guide for medical device manufacturers, investors, and anyone involved in the med-tech industry, aiming to clarify the unique challenges and priorities of securing devices that directly impact patient health. The central argument of the episode revolves around the first and most prevalent misconception: that cybersecurity is primarily about protecting data. Espinosa and Slattery vehemently argue against this notion, asserting that in the context of medical devices, patient safety is the paramount concern. They draw a sharp distinction between traditional IT security, historically known as 'information security,' and the specialized field of medical device cybersecurity. While data breaches are serious, a compromised medical device—such as a hacked insulin pump or defibrillator—can cause direct physical harm or death. They use vivid examples to illustrate this point, such as an attacker remotely increasing the dosage on an infusion pump to cause an overdose. This patient-centric risk model, they explain, fundamentally changes how security should be approached, assessed, and implemented, shifting the focus from data confidentiality to the operational integrity and safety of the device's function. The hosts briefly introduce other key misconceptions they plan to cover, including the mistaken belief that a device is not a 'cyber device' if it doesn't connect to the internet, and the idea that cybersecurity can be treated as a one-time, checklist item rather than an integrated, lifecycle-long process. They also touch upon the flawed assumption that software developers are inherently equipped to handle security and that all cybersecurity expertise is interchangeable. By debunking these myths, the podcast aims to educate the industry on the necessity of a specialized, proactive, and safety-focused approach to cybersecurity, highlighting the significant business and human risks of getting it wrong.

    Key takeaways from this episode

    • In medical device cybersecurity, the primary priority is patient safety, which takes precedence over data protection.
    • Unlike traditional IT security focused on data, med-tech security must manage the risk of direct physical harm to patients from compromised devices.
    • The historical term 'information security' contributes to the common misconception that data protection is the sole goal, which is inaccurate for medical devices.
    • A device is considered a 'cyber device' by regulators if it has any technological interface for data transfer (like USB, Bluetooth, or RFID), not just an internet connection.
    • Cybersecurity is not a one-time check but an iterative process that must be integrated throughout the entire product lifecycle, from initial design to final disposal.
    • Building software and breaking software are distinct skill sets; software developers are not automatically cybersecurity experts, and a dedicated security mindset is required.
    • Medical device cybersecurity is a specialized field with unique regulatory requirements and risk models that differ significantly from traditional IT or data-centric security.
    • Physical harm to a patient is an added and critical layer of risk in MedTech that is not present in most other industries like banking, demanding a different approach to security.

    Full episode transcript

    Page 1 of 5· Paragraphs 1 - 13
    Christian: Hi, welcome back to another episode of the Med Device Cyber Podcast. It's a very interesting conversation today because there are a lot of misconceptions, but we've distilled it down to the top five that we hear all the time from prospects, clients, and conversations at events, et cetera. Christian: I'm your host Christian Espinosa, founder and CEO of Blue Goat Cyber. I'm coming to you from Tempe, Arizona, looking at the lovely Tempe Town Lake. I noticed this is the last year of the Ironman Arizona, so I'm going to miss it. It was one of my fastest races. And I'm here, here today with Trevor Slattery our co-host, coming from San Francisco. Trevor: San Francisco, the foggy city with luckily no fog today, so that's pretty nice. Christian: Awesome. So let's dive into number one. It's about the data. This is a misconception. Everyone I talk to, including investors, when they think about cybersecurity, even in med tech, they they always talk about protecting the data. Now what is wrong with that misconception? Trevor: Well, of course data is something that's very important, and I think part of where this misconception comes from is that it's usually the first thought people have when they think of cybersecurity, you're protecting information in information security. But with medical devices, we have this added layer of… Christian: Oh that's a good point, it used to be called information security. Trevor: Yeah. And you know, you still say, oh well it's I-T testing, information technology, it's all about the information. But we have this unique uh situation with medical devices where a compromise in a product for medical application can hurt someone directly. Think about if, you know, someone cranks your infusion pump or like an insulin pump up to 11, that could cause you to overdose really, really fast. And that's unique where let's say I hacked into a bank or something. Of course, you could steal information, you could steal money, you could do a lot of really nasty things, but you couldn't hurt someone or you couldn't kill someone. And with medical device cybersecurity, that is an added layer. Christian: We're not saying that the data is not important. It's just, from a priority perspective, is less important than the patient safety. I mean, imagine if you have a defibrillator and someone is shocking you to death, at the same time they're stealing your protected health information, which one would you care about more, right? Probably being shocked to death. Trevor: I'd probably want to live to be upset about my data getting stolen personally. Christian: Exactly. Exactly. So they're both important, but they're not equally important. Trevor: And I think it's especially a unique situation since traditional cybersecurity is so focused around assessing risk to data. It becomes a bit of a new situation with medical devices. And we always talk about with, you know, our clients, our prospects, here's how we're assessing risk. We're talking about what can you do to an individual. Can you cause discomfort, harm, death? Uh, and doing that, you look at any traditional cybersecurity metric like CVSS scoring or like DREAD assessments or whatever, there's no box you can tick saying, "Can you kill someone with this?" And so, it's something that's super new and requires a little bit of a unique process. And so I think that's a bit of a shift for existing security teams trying to move into like product security, for example. Christian: Why are we so behind on this shift though? Because we have like autonomous driving cars, we have aircraft that have computers in them, we have all kinds of things where you can kill people. Trevor: I think that overall, there isn't quite as thorough of an understanding of how cybersecurity can be a risk in any of those. I think that medical devices are actually a little bit more mature than some of these other somewhat regulated industries. I, you know, mentioned like aircraft, automotive, obviously really strict requirements on them. Uh, but medical devices, the FDA, medical device regulators seem to be a little bit more aware of the fact, wow, this can really lead to pretty significant harm. But you could make the same argument, you know, you're in Phoenix, I'm in San Francisco, what if someone hacks into one of the Waymos out front, you know? Someone tries to drive a Waymo through a stoplight or into a building. If someone can compromise it, which Waymos do support remote connectivity, someone can take it over in situations where like, if you try to go down to watch a baseball game here, generally someone takes over the Waymo and drives it instead of the AI. So what if someone bad uses that functionality? And I don't think that other industries are quite as aware of the risks and quite as mature with the risk.
    1 / 5