Skip to main content
    Back to episode
    Episode 13 · October 15, 2024 · 14m listen · 830 words · ~4 min read

    Cybersecurity for Medical Devices: Protecting Human Lives | Ep. 1 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 13 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    This inaugural episode of "The Med Device Cyber Podcast" introduces the critical field of medical device cybersecurity through compelling personal anecdotes and expert discussion. Hosts Christian Espinosa and Trevor delve into the profound impact of medical devices on patient safety, sharing their own life-saving experiences with an ECG monitor and a Doppler ultrasound. The conversation highlights the stark contrast between traditional cybersecurity, which primarily focuses on data confidentiality and financial impact, and medical device cybersecurity, where the paramount concerns are integrity and availability, directly affecting patient life or death. The episode explores the devastating consequences of cyberattacks like WannaCry on hospital systems and Windows-based medical devices, emphasizing how ransomware can lead to delayed treatment and patient harm. They also discuss the unique vulnerabilities of implantable devices, such as pacemakers and insulin pumps, citing historical incidents and research by Barnaby Jack. This foundational episode sets the stage for understanding the crucial role of robust cybersecurity in safeguarding human lives within the rapidly evolving medical technology landscape, touching upon product security, risk management, and the need for greater security transparency.

    Key takeaways from this episode

    • Medical device cybersecurity prioritizes integrity and availability to ensure patient safety, unlike traditional cybersecurity's focus on confidentiality and financial impact.
    • Cyberattacks like WannaCry can have fatal consequences in healthcare settings by disrupting critical medical devices and delaying patient care.
    • Many medical devices, including those running Windows operating systems, are vulnerable to ransomware attacks, highlighting the necessity of integrated security measures.
    • Implantable medical devices like pacemakers and insulin pumps present unique cybersecurity risks, as their compromise can directly lead to patient harm or death.
    • The medical device cybersecurity field demands a comprehensive approach to risk management and secure product development to prevent life-threatening vulnerabilities.
    • Incidents such as hacking of pacemakers and insulin pumps demonstrate the urgent need for stringent security protocols in medical device design and deployment.

    Full episode transcript

    Hi, I'm Christian Espinosa, I'm the founder and CEO of Blue Goat Cyber. We do medical device cybersecurity. I'm here with Trevor today. Trevor, you want to do a quick intro of yourself? Sure. Hi, I'm Trevor. I'm the director of medical device cybersecurity at Blue Goat Cyber. Awesome. Medical device cybersecurity is one of our passions, and from what I understand, Trevor, you had some issues when you were younger where a medical device may have saved your life. Can you maybe dive into that a little bit? Definitely. So when I was younger, around eight or nine, I had a pretty severe case of tachycardia. I had a resting heart rate at around 240 beats per minute. 240? That's like super high, isn't it? Yeah, I've never heard of that. It's really high, and it's pretty life-threatening if you don't catch it early on. But I was able to catch it pretty quickly after it happened. I underwent some heart surgery, got everything all sorted out. Now, the problem with tachycardia is it tends to just come back, and there's no real way of predicting whether or not it will come back. And it can come back anytime from a week after surgery to a year, two years. Even two years is typically the upper limit. But as part of that, I was wearing an ECG monitor the entire time. And this ECG monitor, I had all these electrodes hooked up to me 24/7 for two years. It was monitoring anything to do with my heart. It was monitoring the, you know, pattern if it went up too high, if it went down too low. And then that was going to a phone with a Bluetooth connection that was getting uploaded to the cloud. And then my doctor was able to monitor that, see if anything was out of place. And then he was able to see if something was going wrong, something was coming back, he could let me know. Luckily, that never ended up happening. I went through the whole, you know, monitoring process and never came back. And then that's been quite some time now, and I don't have anything to worry about there. Yeah, and haven't we worked on some very similar devices in Blue Goat and made them secure? Yeah, we've worked on both ends of the process, actually. We've done some stuff with the monitoring software up in the cloud, which is pretty interesting, that's taking in the ECG data feed and performing analysis, alerting clinicians. And then we've also been able to check on some of these devices and so continuous ECG monitoring, some things of that nature. So it's kind of interesting to see every part of the process and each step, you know, this device that I'd seen so much as a kid, and now I get to know exactly how it works and get hands-on with a bunch of them. Yeah, that's pretty cool. I have a story as well with medical devices. A couple of years ago, about two and a half years ago, I was walking up the stairs and my leg was hurting severely. I had just worked out, done like a hundred burpees. I was in pretty good shape back then, and I thought I just pulled a muscle. But a friend of mine told me to go to the hospital and said that I might have blood clots. And I'm like, whatever, I don't have blood clots. I'm an Ironman triathlete, I don't get blood clots, things like this don't happen to people like me, you know. That's what I thought, but I told—I'd go to the hospital, gave my word. I went, and the doctor told me I had six blood clots, and they were able to quickly diagnose that with a Doppler, like a portable Doppler ultrasound. And I think that, you know, if it wasn't for that device, I may not be here today, because they were able to quickly diagnose the blood clots, and it wasn't just one, it was like six on my leg, so it was pretty severe. So I'm passionate about making sure these devices stay on the market, because if somebody hacks these devices, you know, obviously they might get recalled or taken off the market or give a misdiagnosis. And one of the interesting things about you, Trevor, is we both do extreme sports, and extreme sports is about reducing risk, and cybersecurity is about reducing risk. And ultimately, we're trying to reduce the risk for medical device manufacturers and make sure these devices are secure, and they can enhance, you know, patient care. So it's a little bit about Trevor: I met Trevor—him and his dad rock climb, and I met him through his dad. We were doing a rock climb together here in Arizona. So it's kind of interesting. You want to talk a little bit, Trevor, about like the difference in