Skip to main content
    Back to episode
    Episode 25 · November 11, 2025 · 38m listen · 6,679 words · ~33 min read

    Designing Secure Medical Device Software with Randy Horton | Ep. 45 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 25 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery are joined by Randy Horton of Orthogonal to discuss the critical intersection of software development and cybersecurity in the medical device industry. The conversation centers on the necessity of integrating security from the ground up, a practice known as DevSecOps, rather than treating it as an afterthought to be 'bolted on' before a product goes to market. Christian introduces this core theme, highlighting that a device with security designed into its architecture is inherently safer and more robust than one where security is addressed reactively. The guest, Randy Horton, brings extensive experience from his company, Orthogonal, a firm that specializes in accelerating the development of Software as a Medical Device (SaMD), connected device systems, and digital therapeutics. Randy shares his journey from discovering the first web browser in 1994 to a career focused on innovation in healthcare technology. He explains Orthogonal's philosophy, which involves fusing the best of modern, agile software engineering practices—many originating from Silicon Valley—with the rigorous quality, safety, and regulatory frameworks required in MedTech. A central argument is that these modern methods don't have to be at odds with compliance; instead, when adapted correctly, they can fundamentally raise the bar for both safety and effectiveness. The discussion explores the cultural and practical differences between the traditional tech industry's 'move fast and break things' mantra and the needs of healthcare. Randy proposes an adjusted credo for MedTech: 'Move faster and break nothing.' The group delves into why this is a significant challenge for the industry, which has historically been based on the principles of physical engineering where change is difficult and costly. Software, by contrast, is infinitely malleable, presenting a different set of risks and opportunities. This flexibility means that a device’s lifecycle never truly ends, especially with the need for ongoing security patches and feature updates. The hosts and guest agree that while the industry is slowly maturing, many companies still struggle with this paradigm shift, often leading to inefficient development and last-minute scrambles to meet cybersecurity requirements.

    Full episode transcript

    Page 1 of 8· Paragraphs 1 - 22
    Host: Hi, welcome back to another episode of the Med Device Cyber podcast. Today we're talking about software development with mobile devices, with cloud, and specifically medical device software development. We have a guest here, uh Randy Horton with Orthogonal. They are do software development specialized in medical devices. And it's important to make sure as Randy was mentioned earlier, that cybersecurity is actually part of your software development. So we do DevSecOps versus just DevOps, sec being the security portion. Uh and it as we know, a medical device is much more secure if cybersecurity is designed into the product rather than bolted on at the end. So I'm also joined here with Trevor, our co-host. Trevor uh, are you still in California, Trevor? You got a different background today. Trevor: Still in California. I've just been banished to the corner of my tiny apartment so that my girlfriend can walk by during podcasts. Host: Oh. You don't have the beads as your door. Trevor: No, no. The beads are gone, but gearing up to head down to San Jose in a couple hours here for Device Talks, which is gonna be fun. Host: Awesome, and you're giving a talk at Device Talks, right? Trevor: Yeah, yeah, tomorrow at I believe eleven or eleven thirty, giving a talk on the common pitfalls and some of the horror stories that we have seen from mismanaging cybersecurity in medical devices, and talking about some of the things that can go wrong. Obviously, being this involved in the industry, we've seen a lot of the mistakes that companies make, come to us for help, and so we're talking about how to avoid those mistakes in the first place. Host: It's always good to be proactive rather than reactive. Trevor: Exactly. So this episode will probably go live after I've done that talk, but if you were there, it was uh good to see you. Host: Awesome. We're talking in the past and the future at the same time. It's kind of weird. All right. Randy, where are you coming from today? Guest: I, well, we're a Chicago-based company. Uh, culturally I'm a Chicagoan, but I'm coming to you, I moved about five years ago down about an hour north of Miami. Host: So what does that mean culturally you're a Chicagoan? What's that mean? Like, what's the difference between Chicago and Miami? Guest: Chicago in my heart, you know, I'm a rust belt kid, what can I say? Host: Uh, maybe you can explain a little bit about your background in med tech, uh, Randy, and a little bit about what Orthogonal does, then we can dive into our discussion here. Guest: Yeah, sure. So I've been a long-time software innovation change person. It kind of started in 1994, in January I was getting ready to graduate from college and I didn't know what I wanted to do. And one night at the computing center, I found the first web browser, Mosaic, and I did an all-nighter. And I swear to you, this, I can't prove this, but I only went home when I ran out of links on the internet to click on in 1994. Host: There was like twelve links, weren't there? Guest: There were about, I don't know, maybe twenty websites. And I left and I said, I don't know what this is, but this is what I want to do with my career. So here we are. I'd say about eighty percent of my career's been in healthcare, and a large amount in the last decade and a half has been in, in medical imaging and our medical device. So, Orthogonal is a, you could think of us as a contract manufacturer for software as a medical device. So medical device manufacturers hire us to help them accelerate the development of software as a medical device, connected device systems like an insulin pump or a glucose monitor, and digital therapeutics. Um, and we got into this business because we saw a massive opportunity to move the outcome in a really big way, on, outcome on patient outcome. You know, we could really move health care with, with modern software and connected software. And the way we do that is we take the best of the modern worlds of software engineering and product management. Really, you know, Trevor from where you're at, more from the Bay Area, you know, these methods that have helped us build great software, um, faster than ever before, and fuse those with MedTech's focus on safety and effectiveness as actuated by laws, regulations, uh, quality, and compliance. And our view is that, anybody who says, oh, you can do Lean and Agile and user-centered for your medical device, but don't worry, you can still be compliant is way under-stalling the power of modern software. We think that modern software, when it's built well, um, can actually fundamentally raise the bar on safety and effectiveness in medical devices, as opposed to being sort of some odd thing that we're trying to graft on, which is a lot of how our industry has unfortunately looked at it in recent years.
    1 / 8