Skip to main content
    Back to episode
    Episode 39 · December 2, 2025 · 11m listen · 2,041 words · ~10 min read

    Cybersecurity Qs MedTech Innovators Ask: Christian’s Hot Seat | Ep. 48 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 39 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    In this special episode of The Med Device Cyber Podcast, host Trevor Slattery puts his co-host and cybersecurity expert, Christian Espinosa, in the "hot seat." Deviating from their usual guest interview format, Trevor quizzes Christian on some of the most frequently asked questions from innovators and developers in the medical technology space. The episode serves as a rapid-fire Q&A session designed to demystify complex regulatory standards and common pitfalls encountered when bringing a new medical device to market, with a particular focus on cybersecurity. The discussion begins with a foundational topic: ISO 13485. Christian explains that this standard outlines the requirements for a Quality Management System (QMS) specific to the medical device industry. He details that a QMS is a comprehensive system that organizes all information related to a medical device's lifecycle, from its design history and manufacturing processes to its cybersecurity documentation. The core purpose of adhering to ISO 13485 is to establish full traceability and ensure that all processes are high-quality, repeatable, and secure. This system is crucial for managing risks and efficiently addressing any problems that may arise after the device is on the market. Trevor and Christian then explore the primary reasons for FDA device rejections, with Christian highlighting that, in the past year, insufficient or inadequate cybersecurity has become the leading cause. The conversation also clarifies the often-confused terminology of "Software as a Medical Device" (SaMD) versus "Software in a Medical Device" (SiMD). Christian defines SaMD as software that functions as a medical device entirely on its own, such as a cloud-based AI algorithm for image analysis. In contrast, SiMD is software that is an integral component of a physical medical device, like the operating software on a patient monitor. The final and perhaps most critical topic addressed is the distinction between HIPAA and FDA requirements. Christian emphatically states that HIPAA compliance is not a substitute for meeting the FDA's cybersecurity standards. He argues that the FDA is primarily concerned with patient safety— preventing physical harm from a device malfunction or hack—while HIPAA is focused on protecting the privacy and security of Protected Health Information (PHI). Using the stark example of a hacked defibrillator, he illustrates that the immediate threat to life (an FDA concern) is a different category of risk than the theft of personal data (a HIPAA concern), underscoring why both regulatory frameworks must be addressed separately.

    Key takeaways from this episode

    • ISO 13485 is the international standard for establishing a Quality Management System (QMS) for medical devices, ensuring traceability and quality throughout the product lifecycle.
    • Inadequate or insufficient cybersecurity is currently the most common reason for medical devices being rejected by the FDA during the submission process.
    • "Software as a Medical Device" (SaMD) is a standalone software product that performs a medical function, whereas "Software in a Medical Device" (SiMD) is software embedded within a hardware device.
    • HIPAA compliance and FDA cybersecurity requirements are not interchangeable; they address different types of risk and must both be satisfied independently.
    • The FDA's primary cybersecurity focus is on patient safety, meaning the prevention of physical harm that could result from a compromised medical device.
    • HIPAA's focus is on the privacy and security of Protected Health Information (PHI), safeguarding patient data from unauthorized access or breaches.
    • Innovators should prioritize patient safety in their device design to meet FDA expectations, rather than assuming data privacy measures alone will suffice.

    Full episode transcript

    Page 1 of 3· Paragraphs 1 - 21
    Trevor: Hello and welcome back to another episode of The Med Device Cyber Podcast. This one's going to be a little bit different from our typical flow. We're putting Christian in the hot seat and running him through some of the questions that we see come up all the time as frequently asked questions with med-tech innovators and seeing, seeing how he does and seeing how well he knows all of these processes. So. Trevor: All right, well, we'll start off with a good one and a very important one. Could you give us a little description of what ISO 13485 is? Christian: ISO 13485 is the standard for a quality management system and how to set that up and what should be in that system and what the foundational components of that system are. And the whole idea is when you have a medical device, you need to have a QMS or some sort of system that has basically all the information about the medical device, the design history files, the cybersecurity documentation. And the whole idea is, is I have all this stuff organized in a very logical manner. So I have traceability for what, when the device is on the market, traceability for when it was designed, how it was built, how it was tested. I have that full visibility and traceability in the system. And then when a problem comes up with a device, I feed that into the quality management system and then we have the evidence of what we did to reconcile that problem and make sure the risk is an acceptable level, like if we had to mitigate the risk and how we did that and the history of that, or if we decided the risk is already at an acceptable level and we didn't need to take any action. Trevor: Excellent. Yep. Yeah, that's perfect way to put it. We're trying to make sure that we have quality, repeatable, and secure processes. It's often one of the bigger frustrations for working with healthcare and med-tech devices, um, just since it's a little bit unique to regulate the spaces for sure, but very important. Trevor: All right. Now, what is the most common reason that medical devices get rejected by the FDA? Christian: Lately, the most in the past year or so, the most common reason is cybersecurity, actually. Insufficient or inadequate cybersecurity, I should say. Trevor: Yep, exactly. Trevor: All right. Now, could you give us a little bit of a summary of the description between SaMD and SiMD products? Christian: Oh, my goodness. SaMD is software as a medical device. So this would be some sort of software that may sit on the cloud. It could be, uh, some sort of AI image enhancement, uh, tool that takes an ultrasound image, sends it up to the cloud, and this software component runs AI through it and does some image enhancement for something like a vascular disease. So the physician can look at the image and see the vascular portion much better than just through the ultrasound or an MRI. A SiMD is, uh, that's software in a medical device. And that is basically a medical device that has software. So this could be, uh, like a patient monitoring system that has software inside of it. Trevor: The software as a medical device is only software. So there's no hardware component with it. The software in the medical device... Christian: Oh, okay. So the patient monitoring system isn't a good example. It's it's the hardware in and the software running in that hardware. Trevor: Yep, exactly. Christian: Okay. So I was on the right track. Trevor: All right. Now here's a question that I actually got last night at dinner, believe it or not. But... Christian: You were at some Georgia, Khinkali or whatever dinner you went to. Trevor: This was at the Georgian Khinkali dinner. And I was talking with a startup innovator that has a new product that they're just about to gear up for their 510(k). And we were talking about what cybersecurity needs to go into it. And he asked, well, I have HIPAA compliance. Is that going to work for the FDA? I told him, no, it's not. So what are some of the differences between what HIPAA looks for and what the FDA looks for? Christian: There's some stark differences. Uh, the FDA is primarily concerned with patient safety, meaning if I can hack into this medical device, what harm can I cause to a patient? That is a primary lens the FDA is looking for. HIPAA in contrast is related to protected health information. It has nothing to do with patient safety. It's like is my charting about my diagnosis protected? Is my insurance, uh, protected that's in the hospital for my treatment? Uh, and those are two very different things. And I think this is a commonly misunderstood concept with med-tech cybersecurity. People often think it's about the data, which is HIPAA. The data is important, but it's secondary to patient safety.
    1 / 3