Skip to main content
    Back to episode
    Episode 46 · July 15, 2025 · 51m listen · 8,091 words · ~40 min read

    Shared Responsibility in Medical Device Cybersecurity with Greg Garcia | Ep. 28 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 46 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    In this episode of The Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by Greg Garcia, the Executive Director of the Cybersecurity Working Group of the Health Sector Coordinating Council (HSCC). Mr. Garcia brings a wealth of experience from his previous roles, including serving as the nation's first Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security and working with the Financial Services Sector Coordinating Council. His expertise lies at the intersection of public policy, business operations, and technology, particularly concerning the security of the nation's critical infrastructure. The core of the discussion centers on the complex and pressing issue of cybersecurity within the healthcare ecosystem, with a special focus on medical devices. Garcia argues that securing this critical infrastructure is a "shared responsibility" that cannot be shouldered by any single entity, be it the medical device manufacturer (MDM), the healthcare delivery organization (HDO), or government regulators. He draws parallels between the current situation in healthcare and past challenges in the financial sector, where different parties would often blame each other for security lapses. This tendency of "finger-pointing" underscores the need for a collaborative framework where all stakeholders work together. The conversation highlights the significant risks posed by legacy medical devices, which may no longer receive security updates but remain active in hospital networks, creating a vulnerable "weakest link" that attackers can exploit. Throughout the episode, Garcia details the efforts of the HSCC to foster this necessary collaboration. He points to several key publications and initiatives, such as the Joint Security Plan (JSP) and guidance on managing legacy technology, which are developed by industry practitioners and offered as free resources to raise the security posture across the board. The discussion also acknowledges the economic realities and competing priorities that make cybersecurity a challenge. Smaller, resource-constrained hospitals often struggle to afford robust security measures, and innovators face market pressures to get products to market quickly and cheaply, sometimes at the expense of comprehensive security. The hosts and guest conclude that a fundamental cultural shift is required, moving from a reactive stance to a proactive one where cybersecurity is understood not as a technical cost center or a compliance hurdle, but as an essential and non-negotiable component of patient safety.

    Key takeaways from this episode

    • Medical device cybersecurity is a shared responsibility that must be addressed collaboratively by manufacturers (MDMs), healthcare providers (HDOs), and regulators.
    • Guest Greg Garcia is a leading expert in critical infrastructure protection, having served as the first Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security.
    • Legacy medical devices that are no longer supported by manufacturers pose a significant risk, acting as a potential weak link or foothold for attackers within a hospital network.
    • The Health Sector Coordinating Council (HSCC) is an industry-led initiative that creates free cybersecurity resources and best practices, such as the Joint Security Plan (JSP), to help the entire sector.
    • A major challenge is that smaller, resource-constrained healthcare organizations lack the budget and personnel to implement robust cybersecurity, even if they are aware of the risks.
    • A cultural shift is necessary to view cybersecurity as an integral part of patient safety, rather than just an IT problem, a compliance checkbox, or an avoidable cost.
    • While not always the initial entry point, insecure devices can be exploited by attackers to pivot and escalate privileges, leading to broader network compromise and ransomware attacks.
    • Proactively investing in cybersecurity and fostering a culture of security is far more effective and less costly than reacting to the devastating consequences of a cyberattack.

    Full episode transcript

    Page 1 of 10· Paragraphs 1 - 13
    Trevor: Hello and welcome back to the Med Device Cyber podcast. I'm your co-host Trevor Slattery, our CTO with our co-host Christian Espinosa, the founder and CEO of Blue Goot. Today we're joined by a very special guest Greg Garcia from the Health sector coordinating Council. Trevor: I'd like to check in and just ask how everyone's doing today. Greg: Doing great. Glad to be here. Trevor: Fantastic. We're going to be going over some pretty exciting stuff. We're talking about rounding up some of the legacy devices that we've seen out in the wild that are facing some pretty nasty cyber security considerations, talking about what the industry as a whole is doing to try to drive cyber security forward and how we're making sure that medical devices are safe along with the steps that innovators should be taking. Christian: Awesome. Well, uh great, you want to maybe introduce yourself a little bit about uh what you do with your organization and uh some of the initiatives you your organization has going on. Maybe you're a background with Mettech. We always like to understand people's lenses are looking through with with Mettech cyber security and Mettech in general. Greg: Well, my experience with Medtech is that, um, like like like both of you and virtually everybody, I'm a patient. Greg: Um, but but at a at a technical level, um I'm not an expert in medical technology in fact. Um, as the executive director of the Cyber Security Working Group of the Health Sector coordinating Council, the the the the what I bring to this is a deep long background in technology generally cyber security specifically and the intersection of public policy, business and technology and our business and operations and technology. And I I I was in a similar role with the financial services sector coordinating council many years ago. Greg: I I was with a major American bank. Uh and before that I was with the Department of Home and Security. So I was the uh the nation's first assistant secretary for cyber security communications uh appointed by President Bush in 2006. and and you know, in that role coordinating our our national critical infrastructure, cyber security policy, um I was exposed to to really all of the nation's critical infrastructure sectors. Health care is just one of them. Telecommunications is another financial services, uh oil and gas, electricity, Greg: uh transportation, chemicals, water. everything that the public depends upon is considered critical infrastructure. And so, uh my role uh at the Department of Home and Security was try to coordinate the public private partnerships that were necessary for us to to work together to identify and mitigate Greg: systemic threats, systemic cyber threats to those critical sectors. So really I I I brought I bring to the health sector um since 2017 a background in information technology, in financial services, in uh the executive branch public policy and in Greg: the Congress. I spent some time in the Congress. in fact the the first bill I ever wrote um and the last bill I ever wrote was the Cyber Security Research and Development Act of 2002. So, I got to sit on the house floor, of the House of Representatives and watch the bill that I had worked on so heavily, um, get passed into law. So that was that was cool. So, um, you know, now with the health sector, I'm less an expert on on health care and medical devices. Greg: I've certainly learned a lot over the past seven years that I've been here. Um, but this role is more about making making those connections between, um, health care as a business and as a delivery mechanism with the technology that's used for that, the public policy and the operations, all of these, all of these interdependent, interconnected issues are part of this this larger constellation, and uh then I rely on the thought leadership, um, of our, of our membership. Um, the Cyber Working Group now consists of about 470, uh, or healthcare organizations from across the spectrum, uh, spectrum. Greg: The the the health care providers, like the hospitals and the clinics, the medical device companies, the health IT companies, like Cerner and Epic and and others, uh, the the plans and the payers, the pharmaceutical, the labs, um, the blood, uh, organizations, all of them are part of this interconnected ecosystem. So they are the owners and operators. They are the ones who are responsible for for securing this critical infrastructure and and in understanding those interdependencies, those interconnexions between all of those sub sectors and and you know, how, um, you know, together they recognize that cyber threats, uh, those cyber threats are a shared challenge across all of those subsectors and therefore a shared responsibility. So that's what brings us all together.
    1 / 10