Skip to main content
    Back to episode
    Episode 50 · October 21, 2025 · 19m listen · 3,479 words · ~17 min read

    What Is A Medical Cyber Device? | Ep. 42 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 50 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery from Blue Goat Cyber tackle a common and critical question in the medical technology industry: What constitutes a 'cyber device'? They address the widespread confusion among manufacturers who often mistakenly believe their products are not cyber devices simply because they lack obvious network interfaces like Wi-Fi or Ethernet. The hosts aim to clarify this ambiguity by breaking down the definition based on the latest FDA guidance and practical cybersecurity principles. They introduce a straightforward, two-part test to determine if a medical device qualifies as a cyber device: first, does it contain software, and second, does it have any possible means of connecting to the internet or another device? If the answer to both questions is yes, then it is considered a cyber device and is subject to cybersecurity regulations. The core of the discussion revolves around the surprisingly broad definition of 'connectivity.' Espinosa and Slattery emphasize that this extends far beyond traditional networking. They provide numerous examples of interfaces that can make a device a cyber device, including USB ports (even if only used for data extraction), serial ports, Bluetooth/BLE, magnetic coils (like RFID and NFC), and even HDMI ports. The hosts explain how these seemingly innocuous connections can be exploited as entry points, creating vulnerabilities. They argue that the third common criterion—the presence of an existing vulnerability—is less relevant because any device with software and an interface has the potential for vulnerabilities to be discovered in the future. The conversation also explores the concept of a device's 'boundary,' noting that the FDA may consider third-party software, such as 3D modeling programs for creating implants, as part of the overall device system, thereby bringing it into the scope of cybersecurity requirements. They conclude by highlighting that manufacturers must be proactive in understanding all potential interfaces and either securely implement them or physically secure them to avoid the cyber device classification.

    Key takeaways from this episode

    • A "cyber device" is fundamentally any medical device that contains software and possesses any potential method for internet or external connectivity.
    • Many manufacturers incorrectly assume their product is not a cyber device if it lacks obvious Wi-Fi or Ethernet ports, overlooking other critical interfaces.
    • Connectivity is broadly defined by regulators and includes interfaces such as USB, serial ports, Bluetooth (BLE), RFID/NFC, and even HDMI, all of which can be potential attack vectors.
    • Rather than focusing on whether a vulnerability currently exists, the key determinant is the *potential* for exploitation through software and any physical or logical interface.
    • The FDA's view of a device's scope can include all connected components, including third-party software used in the device's ecosystem, which must also be secured.
    • Even if a port, like a USB, is not intended for regular use, its mere presence classifies the device as a cyber device unless it is physically secured with methods like tamper-proof seals.
    • It is a manufacturer's responsibility to understand and secure every component within their device's boundary, even if those components are off-the-shelf and have their own regulatory clearance.
    • To avoid misclassification, manufacturers should never assume their device is or isn't a cyber device; they must thoroughly verify all functionalities and consult with experts or the FDA.

    Full episode transcript

    Page 1 of 5· Paragraphs 1 - 12
    Christian: Hi, welcome back to the Med Device Cyber podcast. Today we're talking about what is a cyber device. A lot of confusion about cyber devices and a lot of our prospects and people we meet of events come up to us and ask us if their device, their medical device is a cyber device. And often they think it's not a cyber device when it really is a cyber device. So we're going to unpack the latest guidance and give some specific examples of what type of interfaces make it a cyber device. From my lens, it's very simple but it gets a little complicated when we come to the interfaces. If the easiest way to think about it is, does your device have software, number one? And number two, does it have any possible way to connect to the internet? That's number two. If it meets those two criteria, then it is a cyber device and a lot of ambiguity comes around that second criteria I listed there. So I'm your host Christian Espinosa and I'm joined here with Trevor Slattery coming from San Francisco. He just moved there, got the beads in the background, living a hippie lifestyle. And I'm here in Tempe living a contrast lifestyle. Trevor: Yeah, not not too many more different cities than Tempe and San Francisco. Here everything is super old and crumbly and it's cold all the time and foggy constantly. And there it's hot and new and spread out. Christian: And sunny. Yeah, it's. Cool. So we talked about, I went over the definition and I leave off the number three, which is is there any kind of vulnerability that could exploit your device. I think that's asking for too much because if a device has software and some interface, then there may or may not be a vulnerability today but there may be one tomorrow. So it's kind of an irrelevant point from my perspective. What do you think about that? Trevor: Yeah, and I think that it's partially also down to how hard is it to argue to the FDA that your device does inherently has no level of risk. It's a very hard argument to make and it's a very risky approach to take. And so typically we recommend saying if your device has software there's likely going to be a way to exploit it. I know that one team member that we have for part of his master's program had to prove a piece of software was vulnerability free. It was like three lines of code and something around 50 pages of proof to prove that three lines of code was free of any vulnerabilities whatsoever. Now imagine when you're moving into a medical device which can have thousands, tens of thousands, hundreds of thousands lines of code, the proof that it's going to be free of vulnerabilities would be so much more effort than complying to the cyber security guidelines. We recommend not worrying too much about that third definition. Christian: So let's focus on number two. I think that's where the confusion comes in, like when people say, well I've only got a USB port that we pull data off the device and then, you know, it's a DICOM image we pull off and we manually go put it in a PAC system or something. The fact that there's a USB port means it's a cyber device. But I, that's a misconception I hear all the time still. Trevor: Yeah and I think that the FDA is trying to do a little bit better around clarifying that and adding some definition around that. So USB port's the perfect example. You would not inherently think a USB port can introduce a network scenario into the device. And it's just a little bit of a misconception with A, what the interface can do and B, what the FDA defines as internet connectivity. It does not just have to be Ethernet, Wi-Fi, those things that you traditionally think of when you think of internet. And you could pick an example like right here, this is a USB to Ethernet adapter which we use during a lot of penetration tests to try to connect into a device and turn it into a network device. Even if you are just connecting a data stream into another device, that could consider, you could consider those two devices connected. And if that separate device is connected to the internet, then you do have indirect network connectivity into the medical device. This can also go down to the level of implementing like a Wi-Fi adapter into a USB port. I know we've had some pretty nasty attacks where we've been able to do kind of like a drive-by hot plug where we stick a Wi-Fi adapter into a device and then set up our own rogue Wi-Fi network so that we can then try to hack into the device from outside the building or outside the room instead of trying to do it physically where we might get caught. So there's a lot of risk that can get introduced through very small interfaces that aren't always immediately apparent.
    1 / 5