Episode 60 · September 9, 2025 · 25m listen · 2,303 words · ~12 min read
When Medical Device Cybersecurity Becomes a Crime | Ep. 36 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 60 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In "When Medical Device Cybersecurity Becomes a Crime," episode 36 of The Med Device Cyber Podcast, we explore the significant shift in medical device cybersecurity enforcement. Historically, cybersecurity issues in healthcare primarily fell under HIPAA, focusing on data privacy. However, a recent Department of Justice (DOJ) enforcement action against Illumina highlights a new era: when cybersecurity flaws in medical devices lead to patient harm, they can result in legal prosecution under the False Claims Act.This episode delves into the critical distinction between data breaches and direct patient safety risks inherent in compromised medical devices like infusion pumps or pacemakers. The discussion emphasizes that known, unmitigated cybersecurity risks, especially when misrepresented to federal healthcare organizations, can lead to severe consequences, including misdiagnosis, mistreatment, and even death. The hosts discuss the challenges medical device manufacturers face in integrating cybersecurity by design from the outset, particularly with the FDA's evolving guidance (specifically September 2023) and lengthy development cycles. The conversation underscores the growing recognition of cybersecurity as a clinical risk, moving beyond theoretical concerns to tangible patient mortality. It also touches on the secure product development framework (SPDF) and evolving regulatory strategies, acknowledging a slow but positive shift in industry awareness and proactive engagement with cybersecurity, despite the inherent tensions of speed-to-market pressures. The episode concludes with a look at the future of medical device security, emphasizing the importance of aligning organizational functions to address cybersecurity throughout the total product life cycle.
Key takeaways from this episode
A recent Department of Justice enforcement against Illumina under the False Claims Act signifies a major shift, making medical device cybersecurity failures a prosecutable offense, not just a penalty.
Unlike HIPAA, which focuses on health information privacy, current enforcement prioritizes direct patient safety concerns arising from compromised medical devices, where cyberattacks can lead to tangible physical harm or death.
The medical device industry is challenged by the FDA's relatively new cybersecurity guidance (September 2023) and lengthy development cycles, which often necessitate retrofitting security into products already in development.
Companies are increasingly adopting proactive regulatory strategies, including anticipating FDA deficiencies and preparing remediation plans during review cycles, to expedite market entry and enhance cybersecurity.
The industry is slowly recognizing cybersecurity as an acute clinical risk, with a growing understanding that poor security can directly contribute to patient mortality through delayed treatment or device malfunction, necessitating a "security by design" approach from the start of the total product life cycle.
Adherence to a secure product development framework (SPDF) from the early stages of development is becoming crucial for medical device manufacturers to mitigate legal, regulatory, and patient safety risks.
Manufacturers must align sales, engineering, marketing, and compliance teams to ensure device security from initial development throughout the total product life cycle, especially given the high failure rate of medtech startups that overlook regulatory complexities.
Misrepresenting cybersecurity protections, particularly to federally funded healthcare organizations, can invoke severe legal repercussions, highlighting the increased government oversight and scrutiny.
The transition from cybersecurity as a technical risk to a significant legal and clinical risk is fundamentally reshaping how medical device manufacturers approach product security and regulatory compliance.
The proactive integration of security controls and documentation throughout the entire development process reduces the likelihood of costly and time-consuming remediations later on, especially as regulatory bodies intensify their cybersecurity focus.
Full episode transcript
Page 1 of 3· Paragraphs 1 - 6
Hi, welcome to another episode of the Med Device Cyber Podcast. Today, we're talking about what happens when your cybersecurity flaw doesn't just cause a breach, but it breaks the law. There's been a recent case where the Department of Justice had an enforcement against a medical device manufacturer, Illumina, and this is public knowledge because they sold their system under false claims. There were some false pretenses about how secure the system was, and the exact vulnerabilities weren't disclosed; they were sort of hidden. The whole idea is that cybersecurity failures today are now being prosecuted, not just penalized, because the risk is much greater with medical devices. We're looking at patient safety. We're looking at potentially killing a patient or maiming a patient or misdiagnosing a patient. This is a much greater risk than something such as HIPAA which has traditionally been the enforcement within the healthcare umbrella.
So before we dive in too much, I want to introduce our co-host here, Trevor. Trevor just moved to California, to the Bay Area, and he was explaining that he doesn't have California license plates or a driver's license. So he has to move his car quite often so he doesn't get a ticket. Is that what you were saying?
Yes. So in this neighborhood, you have to have a parking permit to park for longer than two hours. To get a parking permit, you need California registration. To get California registration, I need to get California insurance. To get that, I need California residency. Since I just moved here, I don't have any bills or any receipts, anything like that. So this is going to be a fun month of shuffling around my car every two hours. The closest parking garage to me is $500 a month, so I'm not going to do that. I'm just going to do the car shuffle for a month.
So this is particular to your complex then, because I mean, I've traveled to California with an out-of-state license plate, and I didn't have to move my car all the time, but I'm not living in a neighborhood. It's just a San Francisco thing. This neighborhood has parking permits and all that. Some don't. Sometimes people just leave their car wherever across the city and then just take the bus back and forth to their car. I guess it makes sense because I've been to California quite a bit, and I would see these old RVs parked in random neighborhoods, and they seem like they just parked there and live in those RVs. So I understand the problem they're trying to solve.
No worries. I'm still in Phoenix today. It's supposed to be another hot day. I went out for a walk yesterday. It was like 118, but I cooled down, I think, to 111 when I walked. It was a little bit later, but still pretty hot out. A nice cool temperature of 111, perfect for a walk. Hey, it's a dry heat. I was in New Jersey not too long ago, and it was like 95 and 99% humidity. So that felt hotter to me than here. Yeah, Phoenix doesn't feel too bad. If you're out of the sun, it feels quite nice, actually. Yeah, it's mostly the sun is intense, not really the air. The sun is definitely intense. Yeah. Awesome. So, let's dive into this Civil Cyber-Fraud Initiative, which is DOJ's initiative to use this False Claims Act to really pursue vendors and contractors that misrepresent their cybersecurity protections. And, in particular, in healthcare. What are your thoughts? So, why are we moving this direction, and how come we haven't been doing it more diligently in the past?
Cybersecurity is still a pretty new industry as far as things can go, and it's so rapidly evolving. We even look at the addition of regulatory requirements around cybersecurity was only two years ago. So this is a fairly new industry, and it's so rapidly evolving, I think that governments around the world are trying to figure out ways to get on top of it, and unfortunately, regulation moves a little bit slower than some industries such as cybersecurity. So it's an especially hard problem to solve. What we're trying to do now is bring some enforcement to an actual consequence, an actual punishment if cybersecurity standards are not adhered to when going through different processes. For an example, if you're getting a car sold in America or getting a medical device sold in America or industrial control systems and automation systems, these all have different cybersecurity requirements that are constantly getting more and more strict and evolved, especially in healthcare. If these are violated, now there's going to be an enforced actionable punishment against the companies that knowingly violated best cybersecurity practices. Knowingly violated is the key. Yeah. And we've been enforcing HIPAA for a really long time. So is this a big shift in your opinion, like away from or maybe in parallel to this HIPAA enforcement that's been going on? What are your thoughts on HIPAA versus what we're talking about here with medical devices?