Skip to main content
    All Episodes
    Episode 029 · July 15, 2025 · 51m listen

    Shared Responsibility in Medical Device Cybersecurity with Greg Garcia | Ep. 28

    Greg Garcia
    Executive Director, Cybersecurity Working Group
    Health Sector Coordinating Council

    Episode Summary

    This episode of The Med Device Cyber Podcast features Greg Garcia from the Health Sector Coordinating Council (HSCC), discussing the critical issue of shared responsibility in medical device cybersecurity. Garcia, with a background spanning the Department of Homeland Security and financial services, highlights the HSCC Cyber Security Working Group's efforts to foster collaboration between medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). A central theme is moving past blame to develop unified strategies for medical device security. Garcia emphasizes the "secure by design" and "secure by default" principles, crucial for total lifecycle product security. He touches upon the challenge of legacy devices, the 2023 FDA guidance changes, and the economic pressures faced by resource-constrained healthcare providers. The discussion also covers the importance of shifting cybersecurity from a cost center to an integral part of patient safety, the limitations of current regulations for all healthcare-connected technologies, and the need for a unified approach to achieve regulatory and patient confidence in a secure medical ecosystem. Key initiatives like the Joint Security Plan (JSP) and managing legacy technology security (MALTS) are presented as vital, free resources developed by the industry for the industry.

    Key Takeaways

    • 01Cybersecurity is a shared responsibility across all stakeholders in the healthcare ecosystem, from medical device manufacturers to healthcare delivery organizations and IT companies.
    • 02The
    • 03secure by design"
    • 04 and
    • 05secure by default"
    • 06 principles are essential for establishing total lifecycle product security in medical devices.
    • 07Addressing legacy medical devices that are no longer supported requires collaborative strategies for maintaining security and planning for risk transfer.
    • 08The industry needs to shift its perception of cybersecurity from a costly burden to an indispensable component of patient safety.
    • 09Adopting industry-developed resources like the Joint Security Plan (JSP) and managing legacy technology security (MALTS) can significantly enhance cybersecurity posture.
    • 10Future regulation may need to expand beyond medical devices to encompass all technology systems critical to healthcare delivery, mirroring the rigor applied to critical infrastructure.
    • 11The Health Sector Coordinating Council (HSCC) offers free, collaboratively developed best practices and encourages participation to strengthen healthcare cybersecurity collectively.

    Frequently Asked Questions

    Quick answers drawn from this episode.

    • This episode of The Med Device Cyber Podcast features Greg Garcia from the Health Sector Coordinating Council (HSCC), discussing the critical issue of shared responsibility in medical device cybersecurity.

    • Cybersecurity is a shared responsibility across all stakeholders in the healthcare ecosystem, from medical device manufacturers to healthcare delivery organizations and IT companies. The secure by design"

    • A central theme is moving past blame to develop unified strategies for medical device security. It's most useful for medical device manufacturers, cybersecurity engineers, regulatory affairs professionals, and MedTech founders preparing for FDA review.

    • Cybersecurity is a shared responsibility across all stakeholders in the healthcare ecosystem, from medical device manufacturers to healthcare delivery organizations and IT companies.

    Listeners also asked

    Quick answers pulled from related episodes.

    Share this episode

    Pre-fills with: "Cybersecurity is a shared responsibility across all stakeholders in the healthcare ecosystem, from medical device manufacturers to healthcare delivery organizations and IT companies."

    Hello and welcome back to the Med Device Cyber Podcast. I'm your co-host Trevor Slatterie, our CTO, with our co-host Christian Espinosa, the founder and CEO of Blue Goat. Today we're joined by a very special guest, Greg Garcia from the Health Sector Coordinating Council. We're going to be going over some pretty exciting stuff, talking about rounding up some of the legacy devices that we've seen in the wild that are facing some pretty nasty cybersecurity considerations. We'll discuss what the industry as a whole is doing to try to drive cybersecurity forward and how we're making sure that medical devices are safe, along with the steps that innovators should be taking. My experience with medtech is that, like both of you and virtually everybody, I'm a patient. At a technical level, I'm not an expert in medical technology. As the executive director of the Cybersecurity Working Group of the Health Sector Coordinating Council, what I bring to this is a deep, long background in technology generally, cybersecurity specifically, and the intersection of public policy, business, and technology or business, operations, and technology. I was in a similar role with the financial services sector coordinating council many years ago. I was with a major American bank, and before that, I was with the Department of Homeland Security. I was the nation's first assistant secretary for cybersecurity and communications, appointed by President Bush in 2006. In that role, coordinating our national critical infrastructure cybersecurity policy, I was exposed to all of the nation's critical infrastructure sectors. Healthcare is just one of them; telecommunications is another, financial services, oil and gas, electricity, transportation, chemicals, water—everything the public depends upon is considered critical infrastructure. My role at the Department of Homeland Security was to coordinate the public-private partnerships necessary for us to work together to identify and mitigate systemic threats, systemic cyber threats, to those critical sectors. I bring to the health sector since 2017 a background in information technology, financial services, the executive branch public policy, and in the Congress. I spent some time in Congress; in fact, the first bill I ever wrote and the last bill I ever wrote was the Cybersecurity Research and Development Act of 2002. So, I got to sit on the House floor and watch the bill I had worked on so heavily get passed into law. That was cool. Now, with the health sector, I am less an expert on healthcare and medical devices. I've certainly learned a lot over the past seven years that I've been here. This role is more about making connections between healthcare as a business and as a delivery mechanism with the technology that's used for that, the public policy, and the operations. All of these interdependent, interconnected issues are part of this larger constellation. I rely on the thought leadership of our membership. The cyber working group now consists of about 470 healthcare organizations from across the spectrum: healthcare providers like the hospitals and the clinics; medical device companies; health IT companies like Cerner and Epic and others; the plans and the payers; the pharmaceutical; the labs; the blood organizations. All of them are part of this interconnected ecosystem. They are the owners and operators; they are the ones who are responsible for securing this critical infrastructure and for understanding those interdependencies, those interconnections between all of those subsectors. Together, they recognize that cyber threats are a shared challenge across all of those subsectors and therefore a shared responsibility. So that's what brings us all together. What are your thoughts generally on the legacy problem and what we can do about it, and also, do you think we're headed in the right direction? The whole medical technology issue in healthcare is a fascinating one, and it's more severe but not dissimilar from what I experienced in the financial services sector. In those days, the banks were sort of yelling at the telcos and ISPs:

    Hosted by

    More from your hosts

    Other episodes diving into Christian and Trevor's areas of focus.

    Episodes covering similar ground.

    Why this matches covers similar themes around responsibility, shared, integral.

    Why this matches covers similar themes around delivery, total, plan.

    Why this matches covers similar themes around delivery, healthcare, organizations.

    Listen to this episode