Skip to main content
    Back to episode
    Episode 51 · January 21, 2025 · 24m listen · 4,484 words · ~22 min read

    The Human Factor: Why Cybersecurity Awareness is Key in Medical Device Manufacturing | Ep. 8 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 51 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery of Blue Goat Cyber delve into the critical role of the 'human factor' in medical device cybersecurity. After some initial light-hearted banter about dreams and creativity, they introduce the core argument that humans, not technology, are often the weakest link in any security system. Trevor explains that it is frequently easier and more effective for attackers to trick a person into revealing credentials through social engineering and phishing campaigns than it is to execute a complex technical hack against a fortified system. He supports this with examples from their own penetration testing experiences, where they have successfully gathered numerous passwords by setting up fake login pages and distributing them via email, thereby gaining extensive access to internal networks. The hosts then question the real-world effectiveness of standard cybersecurity awareness training. Christian observes that despite most companies implementing annual training and simulated phishing tests, his team consistently succeeds in breaching defenses through the same human-centric tactics, such as dropping infected thumb drives or sending convincing phishing emails. Trevor attributes this failure to a widespread cultural perception of cybersecurity as a 'necessary evil'—an inconvenient and frustrating obstacle to daily tasks. This perspective causes employees to become disengaged during training sessions, viewing security protocols like complex passwords and multi-factor authentication as an annoyance rather than a vital safeguard. This human tendency to prioritize convenience over security fundamentally undermines many awareness initiatives. Moving towards solutions, the conversation shifts to the need for a fundamental change in how security is approached, moving from a user-blame model to one of systemic resilience. The hosts advocate for designing systems with an 'assumed breach' mentality, where it is taken for granted that human error will occur and that attackers will eventually find a way in. Consequently, the focus should be on implementing robust technical controls to mitigate the impact of such a breach. They stress the importance of network segmentation, particularly in healthcare environments, to isolate critical systems. A powerful example is given where a compromised public-facing system, like a hospital kiosk, on a flat, unsegmented network could potentially grant an attacker access to life-sustaining medical devices in an operating room. They conclude that improving medical device security requires a comprehensive cultural shift, championed by leadership and integrated into every stage of the product lifecycle—a concept encapsulated in DevSecOps—to ensure security is a foundational component, not an expensive and often ineffective afterthought.

    Key takeaways from this episode

    • The 'human factor' is the weakest link in cybersecurity, as people are often easier to exploit through social engineering than systems are to hack directly.
    • Traditional cybersecurity awareness training often fails because employees view security as an inconvenient 'necessary evil,' leading to disengagement and a preference for convenience over security.
    • It's more effective to design systems with an 'assumed breach' mentality, accepting that human error is inevitable and focusing on mitigating the impact of a breach.
    • Tricking a person into giving up their password can be far more devastating than a technical exploit, as it can grant an attacker immediate access to an entire internal network.
    • Technical controls like network segmentation are crucial for limiting the 'blast radius' of an attack, preventing a compromise in one area from spreading to critical systems like medical devices.
    • Implementing security as an afterthought is incredibly expensive and can lead to costly redesigns or even project abandonment; it should be integrated from the beginning of the development lifecycle (DevSecOps).
    • A cultural shift is needed across organizations, from leadership and software developers to IT staff, to recognize and prioritize cybersecurity as a core function rather than a burden.
    • There is often a systemic disconnect in expertise, where software developers may not receive the necessary secure coding training that cybersecurity professionals do, leading to built-in vulnerabilities.

    Full episode transcript

    Page 1 of 6· Paragraphs 1 - 17
    Welcome back to another podcast, Trevor. How you doing today? I'm doing pretty well. How are you doing today, Christian? Doing good. Doing good. Didn't sleep too well last night. I had this uh, weird dream that I was an accountant. I don't even know where that came from. Um, and it was kind of like a nightmare. And I haven't, I for some reason like bookkeeping and, I it probably came from the fact that I'm doing it for our company now, and it causes me a lot of anxiety, all the bookkeeping and accounting. It was a weird dream. Yeah, that would be, that would be a pretty scary dream. I've never had much of an affinity for that. Majored in engineering in college and that was already way too much math for me, so I don't want any more. Yeah, I used to sleep with a recorder next to my bed so I could wake up and record my dreams. Um, and I I stopped doing that for some reason because my one of my favorite bands is Nightwish, the guy that writes all the songs to, he has a recorder, uh, and he wakes up and fresh from the dream and just talks to the recorder and that's what becomes of his songs. So it's kind of interesting. So we we have a lot of wisdom come to us during our dreams, I believe. I probably only remember like one or two dreams a month. I just, I go to sleep, I'm out. There is not a thing happening until morning. Well, that could be good, good as well. Probably get better sleep that way. Yeah. In this podcast, you know, we're talking about the human factor and, you know, how it matters with medical device cybersecurity. Before we like dive in here, can you explain like what we mean by the human factor? So, in cybersecurity, it's very often said that the human is the weakest link. Um, of course computers are vulnerable to attack. They can be exploited with malware, all sorts of different hacks. But it's pretty easy to trick a person into giving up their password. It's often a lot easier to trick a person into giving up their password than a computer. Some of the most success that we've had on penetration tests are through social engineering campaigns. We set up a fake login panel, send out a bunch of emails, and then boom, all of a sudden we have 90 sets of passwords to use instead of trying to hack into the system ourselves. So not only is it often easier and more successful, but the impact is often far more severe. If someone's giving up their password for a VPN portal, they're able to get into their internal network, you're able to see a lot of pretty dangerous stuff. So what the big concern is that we always need to be thinking about is how can we fix this problem? You, you're never going to be able to change human behavior. You're never going to be able to change human tendencies. So, it's a matter of trying to teach awareness and trying to implement controls that are going to reduce the impact of a successful exploit or reduce the likelihood that it will be a successful exploit. We've been talking about cybersecurity awareness training for a long time. I don't feel it's making a difference. Because we've done every company that we've worked with, they do phishing training. Over and over and over. They do this one hour cybersecurity training annually. Yet, we come in there and are still able to get through with a phishing attack or still able to get through with some sort of like social injuring attack with like a thumb drive attack where we just drop thumb drives around, they pick them up, put them in a computer. So, do you do you feel like we're actually improving with this awareness? Yes and no. So, one thing, and I know we've kind of talked about this before, but often times, cybersecurity is viewed as a necessary evil. It's not something that people want to do. It's not something that people want to be aware of. It's usually an inconvenience for most part. What is a, what is a necessary evil? Like what's another example of a necessary evil? I know before I've used the example of, you know, like going to the doctor, going to the dentist. It's something that nobody wants to go do. Nobody has a good time when they go to the dentist, but you have to do it. You have to stay on top of these things. I guess that's true. You don't have a good time in the dental chair.
    1 / 6