Episode 26 · February 26, 2026 · 32m listen · 3,964 words · ~20 min read
Prevention Is Better Than Cure: Applying Medical Principles to Medtech Cybersecurity | Ep. 59 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 26 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery are joined by Stephen Smith, a MedTech veteran with over 27 years of experience in Quality Assurance (QA) and Regulatory Affairs (RA). Stephen, co-founder of Elevate MedTech, shares insights from his long career, which began in 1999 as a QA auditor for an in-vitro diagnostic (IVD) company. He explains how this early experience revealed a critical disconnect between device manufacturing and the realities of clinical use, sparking his career-long focus on integrating robust quality systems with a deep understanding of the user environment and patient safety.
The central theme of the discussion is that cybersecurity is not merely a feature to be added to a medical device, but is inextricably linked to, and evidence of, quality software and a well-designed product. The speakers argue that in the high-stakes medical field, you cannot have a quality product without inherent security. A cyber attack on a medical device, such as an IVD, could alter its output, leading to a catastrophic misdiagnosis—for instance, a patient with sepsis being told they are healthy, which could be fatal. This highlights how cybersecurity is fundamentally an issue of patient safety. Stephen distinguishes between Quality Control (QC), a reactive check on a finished product, and Quality Assurance (QA), a proactive process of building quality and safety into the design from the very beginning. The conversation stresses that cybersecurity must be a core design input, integrated into risk assessments and the quality management system throughout the development lifecycle.
The podcast also explores why cybersecurity is often treated as an afterthought. For many companies, especially startups, implementing comprehensive security is perceived as an expensive and time-consuming process that delays market entry. This leads to a mindset of doing the bare minimum to pass regulatory hurdles. Stephen points out that many manufacturers fail to consider the actual clinical workflow, designing devices without consulting the doctors and nurses who will use them. This lack of user-centric design can lead to usability issues and unforeseen risks. While regulators like the FDA and EU MDR are increasingly focusing on cybersecurity, the process is slow, and compliance can become a 'tick-box' exercise that doesn't guarantee real-world security. The hosts and guest conclude by reiterating that the ultimate responsibility for creating a safe and effective device lies with the manufacturer, emphasizing the ethos that 'prevention is better than cure' and advocating for proactive risk management.
Key takeaways from this episode
Cybersecurity should not be seen as an optional feature but as fundamental evidence of a quality medical device and software.
A failure in medical device cybersecurity can directly lead to patient harm, such as a fatal misdiagnosis from a compromised diagnostic tool.
It is far more effective and less costly to prevent issues by integrating security and quality into the design process from the start, rather than fixing problems after they arise.
Many device manufacturers, particularly startups, often treat cybersecurity as an afterthought due to pressures to reduce costs and speed up time-to-market.
Regulatory approval, such as an FDA clearance or CE mark, is not a guarantee of product quality or security; it only shows that the product met minimum compliance standards at a point in time.
A major flaw in medical device development is the failure to fully understand the clinical workflow and the real-world environment where the device will be used.
Risk management, especially for cybersecurity, must be a dynamic, ongoing process, as threats and use cases evolve continuously.
The ultimate responsibility for a device's safety and effectiveness rests with the manufacturer, not the regulatory bodies that provide market clearance.
Full episode transcript
Page 1 of 5· Paragraphs 1 - 23
Cybersecurity is evidence of quality software.
So from a cybersecurity perspective, if a device is compromised or hacked into an IVD, and somebody has sepsis but it says they don't have sepsis, that patient could die.
So you cannot have quality software, quality processes without having cybersecurity inherently tied into it, since that's pretty much a good product, especially in the medical space.
There is either intentionally or unintentionally a lack of consideration of A, the clinician and B, the user environment.
Having your ISO 13485 certificate or CE certificate, that's not a guarantee of a good product.
Prevention is better than cure.
Christian: Hey, welcome back to another episode of the Med Device Cyber podcast.
Today we have a guest, uh Steven Smith. Steven uh comes to us from... Where you coming from today, Steven? The UK?
Stephen: Cambridge in the UK.
Christian: Cambridge. I I did my first punting in Cambridge a long time ago. Punting, if those of you don't know, is where you're on a boat and there's a guy with a stick that pushes the stick down to the bottom and kind of pushes the boats along. It's called punting. Is isn't that right?
Stephen: That's right.
Christian: I don't know why they call it punting. I think punting is you're kicking a football or something, but in the UK they they kind of change everything up so to keep us confused as Americans, I think.
Cool. And uh we got Trevor here as well. Trevor, you're coming from NorCal, I believe, right?
Trevor: NorCal. here for the next hour and a half then got to catch a flight.
Christian: I'm coming from Austin at a hotel. Um, I'll see Trevor later on this evening. He's going to be joining us in Austin. I was just here doing a this weekend a Formula 4 advanced course, but it was 20 degrees out one morning so we had to put the uh wet tires or the treaded tires on the car because there was frost on the track which which makes it a little challenging to drive, but I I survived.
Cool. So Stephen, you want to like give us a little bit of background about yourself and your organization and uh what you do in the medtech space?
Stephen: Sure. Well, my name is Stephen, as as we've said. Uh, I started working in medtech way back last century, actually in 1999.
Christian: 1999. The last century. The last century. I guess that was the last century. Last century.
Stephen: Last century, yeah. So this is my 27th year, my god, that's depressing, in medtech. So I started as a as a Q, quality assurance auditor for a for an IVD company here in the UK. And being an auditor, I got talking to a lot of people, interacted with a lot of people, but more importantly that was I guess listening to a lot of people because auditor, being an auditor you got to talk and you got to listen as well, it's a two-way thing. That's something I think a lot of auditors have actually got to understand. So obviously I had to audit to to to regulation and listen to their answers, but I also had to in some cases question their answers.
So, while the the products of this company were were pretty good, they were really good actually and some of them from 20 odd years ago are still still in use today. People's perceptions on what quality regulatory was all about was I guess a bit poor. They knew they had to be regulation and they knew they made medical devices, but they had no idea what type of medical devices they made, what they did clinically, which surprised me.
So I went about doing a bit of research, finding out what these devices do myself because I was relatively new, and I thought, okay, these things are actually quite important. So I I made a product awareness course, and that and I got group group of people together, mainly on the production line, "Guys, this is what these devices do." And it was a revelation to people. "Oh, the these actually could cause risk to to people. These could misdiagnose. We could be on the receiving end." And that changed their perspective. I guess it changed my perspective as well seeing how they reacted.
And that's I guess sparked my course of my career in QA and RA in medtech, making sure that what I did conforming to regulation actually had an impact, not regulate for regulation's sake, but making sure that regulation and what I did was effective. That's probably a long answer to a short question.
Christian: No, I think it's the same challenge with cybersecurity. A lot of people think it's just a something you have to do. But like you said, if a IVD causes a misdiagnosis or a delayed diagnosis, they can drastically affect a patient. So from a cybersecurity perspective, if a device is compromised or hacked into an IVD, and somebody has sepsis, but it says, they don't have sepsis, that patient could die. So it's about patient safety. Like you said, I want to ask a couple questions here based on what you said. So QA and RA are two different things, and somebody once described RA as offense and QA as defense. Do you agree with that?