Skip to main content
    Back to episode
    Episode 53 · December 30, 2025 · 24m listen · 4,324 words · ~22 min read

    Medical Device Cyber Failures Become Fatal | Ep. 52 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 53 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    In this episode of the Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa of Blue Goat Cyber delve into the serious and often life-threatening consequences of medical device cybersecurity vulnerabilities. They move beyond theoretical risks to discuss documented incidents where software flaws and security breaches have resulted in tangible patient harm and, in some cases, death. The hosts argue that understanding this history is crucial for appreciating why regulatory bodies like the FDA are now enforcing stricter cybersecurity requirements, treating digital security as a fundamental component of patient safety on par with traditional safety measures like sterility and biocompatibility. A significant portion of the discussion centers on the 2017 WannaCry ransomware attack, which they identify as a major catalyst for the modern era of medical device cybersecurity regulation. Slattery and Espinosa explain how this widespread, non-targeted attack crippled hospital operations globally by encrypting critical systems and medical devices, forcing a return to manual processes and delaying urgent patient care. They detail why healthcare organizations are such frequent targets for ransomware: the immense value of stolen patient data and the critical, life-or-death nature of their services create immense pressure to pay ransoms quickly. The conversation also explores the downstream effects, where even unaffected hospitals and patients suffer when central systems, like insurance providers, are taken offline, preventing payments and reimbursements. Beyond ransomware, the hosts examine more direct and targeted threats. They recount the famous case of former Vice President Dick Cheney, whose doctors disabled the wireless functionality on his implantable defibrillator out of fear that it could be hacked for a targeted assassination attempt—a threat later proven possible by security researchers. This leads to a discussion of other proven vulnerabilities, such as those demonstrated by researcher Barnaby Jack in drug infusion pumps, which could be remotely manipulated to deliver lethal overdoses. The episode concludes by touching on modern challenges, including safety failures in AI-powered therapy agents, further blurring the line between software error and security risk. The overarching message is that past incidents are not just stories; they are the driving force behind the necessary, albeit challenging, evolution toward a more secure MedTech landscape.

    Key takeaways from this episode

    • Cybersecurity failures in medical devices are not just theoretical risks; there are documented cases where they have resulted in direct patient harm and death.
    • The 2017 WannaCry ransomware attack was a pivotal event that served as a wake-up call for the healthcare industry and regulators, highlighting how cyberattacks can cripple hospital operations.
    • Hospitals are prime targets for ransomware because of the critical nature of their services and the high value of patient data, creating immense pressure to pay ransoms to restore functionality.
    • Targeted attacks on high-profile individuals through their implantable medical devices, such as pacemakers or defibrillators, are a credible threat that has been considered at the highest levels of government.
    • Vulnerabilities in common devices like drug infusion pumps have been publicly demonstrated, proving that an attacker could remotely alter dosage and deliver a lethal amount of medication.
    • The consequences of a cyberattack can extend far beyond the targeted institution, disrupting the entire healthcare ecosystem, including insurance and payment processing, and delaying care for many.
    • Historical security incidents and vulnerability disclosures are the primary drivers behind increased regulatory scrutiny from bodies like the FDA, which now mandates robust cybersecurity for medical devices.
    • The distinction between a software safety flaw and a security vulnerability can be minimal, as both can lead to patient harm and must be addressed throughout the device lifecycle.

    Full episode transcript

    Page 1 of 6· Paragraphs 1 - 22
    Trevor: Hello and welcome back to another episode of the Med Device Cyber Podcast. Trevor: We're here, your cohosts Trevor Slattery and Christian Espinosa, and today we're going to talk about some situations and incidents that have come up where medical device hacks or medical device vulnerabilities and problems have led to direct tangible harm or in many cases even death against individuals. Trevor: It's definitely a very serious topic. There's a lot that can go wrong within the medical space, so we want to make sure that A, we're learning lessons of course from all of these areas and understanding what we can do in collaboration with the regulators to make sure that this isn't happening anymore. Trevor: First, I'll check in with you. How are you doing Christian today? I know, uh, you've been on a pretty crazy travel schedule, so just settling down and back home in Phoenix for what, one day, two days? Christian: Uh, I just got back from Singapore on Sunday. I was there for eight days, so I felt like I finally got acclimated to their schedule. Christian: And now I'm here for, I was here, gonna be here for one day, but I changed the flight, so I'm here for three days. So, not enough time to get acclimated here, and then I'm heading to Europe uh, tomorrow, actually. Trevor: Perfect. Well, yeah, at least get a little bit of respite moving it to three days as opposed to one day. Christian: Well I need a little bit of time to catch up on a few things and, uh, you know, actually enjoy my condo. I feel like I'm paying for this condo but I'm never here. Trevor: Well, talking about some of the issues that we've seen come up with medical devices, there's some definitely deep history on vulnerabilities, incidents that have come up where there's been tangible patient harm. Trevor: Actually one of the events that really drove some of the modern cybersecurity requirements that we see today home was a ransomware attack in 2017, the WannaCry ransomware attack where a lot of medical devices were affected, hospital operations screeched to a halt, and that started to underline the importance of cybersecurity within these products. So Trevor: there are new breaches, there are new problems, there are new events and everyone sees ransomware on the news, it feels like every other day something is getting ransomware'd. Trevor: But the regulators are trying to make an effort to stop some of this from happening. So, we can start a little bit about talking about what WannaCry was for anyone unfamiliar and then go into some more of the incidents that we've seen. So Trevor: for background on how this comes up, ransomware, everyone would be familiar with, it's something that is non-targeted, it's a non-targeted virus. It gets into a computer and it spreads into everything. Trevor: Uh, it goes to any connected computers, encrypts all the information so that nothing is accessible. The attackers steal a copy of it, they threaten to release it into the public if someone does not pay a ransom. Trevor: Now, when they're stealing this information from a hospital, this is going to contain extremely sensitive records. This is going to have a lot of patient information, often times payment information as well, so it's very, very valuable to attackers. That's why hospitals are so commonly ransomed. Trevor: WannaCry was an especially dangerous version of that, happened in 2017. And like I said, that really acted as the catalyst for some of these regulators to start kicking up the, raising the bar with cybersecurity. Christian: You have to think about it if you're a hospital, and I, I saw an episode of, I used to watch this show Chicago Med? a-but they actually had a ransomware attack in there. Christian: And the hospital didn't know what to do and patients were, were basically dying because they couldn't, an ambulance would show up and they couldn't intake the patient. Uh, all the systems were down. So one of the doctors actually paid the ransom out of his own pocket because the hospital didn't have a policy for it. Christian: And I think that that episode, I think it's called Chicago Med, is that show, uh, was pretty much based on reality from my experience. Trevor: Yeah. When that happens, when ransomware hits a healthcare delivery organization, there's not that much that can be done anymore. Trevor: We are in an extremely online world. Um, the overwhelming majority of medical products are now internet connected. Anything relating to payment, anything related to record storage, anything related to even note taking is often going to be entirely online or digitally stored. Trevor: Obviously there are tons of advantages for that. I mean, we look at the fact that we're in a podcast recording right now with me being in California and you being in Arizona. Awesome advantages to this technology, but when it goes down, everything goes down.
    1 / 6