Episode 58 · September 9, 2025 · 25m listen · 4,570 words · ~23 min read

When Medical Device Cybersecurity Becomes a Crime | Ep. 36 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 58 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

This episode of The Med Device Cyber Podcast discusses a significant shift in the consequences of cybersecurity flaws in medical devices, moving beyond simple data breaches to legal prosecution. The hosts, Christian Espinosa and Trevor Slattery, center their conversation on a recent enforcement action by the U.S. Department of Justice (DOJ) against medical device manufacturer Illumina. They explain that Illumina faced legal action for selling their system under false claims, misrepresenting its security posture and failing to disclose known vulnerabilities. This case serves as a critical example of how cybersecurity failures can now constitute breaking the law. The main argument of the episode is that the stakes for medical device cybersecurity are immensely higher than for other industries, including general healthcare IT. While a HIPAA violation concerns the privacy of health information, a cybersecurity failure in a medical device can directly lead to patient harm, misdiagnosis, or even death. This increased risk to patient safety has prompted heightened government scrutiny. The hosts introduce the DOJ's "Civil Cyber-Fraud Initiative," which leverages the False Claims Act to prosecute government contractors and vendors—including those in healthcare—who knowingly misrepresent their cybersecurity practices. This initiative marks a new era where companies can be held legally and financially accountable for fraudulent security claims, not just penalized for breaches. The discussion also explores why this legal shift is happening now. The hosts attribute it to the rapid evolution of the cybersecurity industry and the inherent lag in regulatory adaptation. As the industry matures, regulators and law enforcement are developing more robust ways to enforce standards and punish negligence. They contrast the focus of HIPAA on information protection with the new emphasis on tangible patient safety. This evolving landscape necessitates that medical device manufacturers adopt a proactive, 'security by design' approach, integrating robust security from the very beginning of their long development cycles, rather than treating it as an afterthought. Failing to do so not only creates clinical risk but now also carries severe legal and financial repercussions.

Key takeaways from this episode

Cybersecurity flaws in medical devices are now being prosecuted as legal violations, not just data breaches, with the Department of Justice (DOJ) taking enforcement action.
A key example is the DOJ's case against the manufacturer Illumina, which sold a system under false claims about its security and hid known vulnerabilities.
The DOJ is utilizing the False Claims Act via its Civil Cyber-Fraud Initiative to prosecute vendors who knowingly misrepresent their cybersecurity protections to government-funded entities.
The risk with medical devices is elevated because a security failure can lead to direct patient harm or death, a more severe consequence than a typical data privacy (HIPAA) breach.
Cybersecurity is increasingly viewed as a clinical risk integral to patient safety, rather than just a technical or IT issue.
The long development cycle for medical devices (often 6-7 years) makes it crucial to implement 'security by design' from the start, as retrofitting security is difficult and risky.
The industry is seeing a shift towards more proactive cybersecurity strategies, with some companies preparing for regulatory feedback on security even before they officially receive it.
With tangible consequences now a reality, medical device manufacturers can no longer afford to treat cybersecurity as a secondary concern or a checkbox item.

Full episode transcript

Host: Hi, welcome to another episode of the Med Device Cyber Podcast. Today we're talking about what happens when your cybersecurity flaw doesn't just cause a breach, but it breaks the law. And there's been a recent case where the Department of Justice uh, had an enforcement against a medical device manufacturer, Illumina, and this is public knowledge, because they sold their system under false claims. There was some false pretenses about how secure the system was and the exact vulnerabilities weren't disclosed. They were sort of hidden. And the whole idea is that cybersecurity failures today are now being prosecuted, not just penalized, because the risk is much greater with medical devices. We're looking at patient safety. We're looking at potentially killing a patient or maiming a patient or misdiagnosing a patient. Uh, and this is a a much greater risk than something such as HIPAA, which has traditionally been the enforcement with health in within the healthcare umbrella. So, before we like dive in too much, uh, I want to introduce our co-host who he's here he is, Trevor. Trevor's coming to us. He just moved to California, the Bay Area, and he was explaining that he doesn't have California license plates or driver's license, so he has to move his car quite often so he doesn't get a ticket. Is that, is that what you were saying? Guest: Yeah, so in our, in this neighborhood, you have to have a parking permit to park for longer than two hours. To get a parking permit, you need California registration. To get California registration, I need to get uh, California insurance. To get that, I need California residency. And since I just moved here, I don't have any bills or any receipts, anything like that. So this is a, this is going to be a fun month of shuffling around my car every two hours. In a parking garage, the closest one to me is $500 a month. So I'm not going to do that. I'm just going to do the car shuffle for a for a month. Host: So this is particular to your complex then? Because I mean I've traveled to California with an out-of state license plate and I didn't have to move my car all the time, but I'm not living in a neighborhood. Guest: It's just a San Francisco thing. There, this neighborhood has parking parking permits and all that. Some don't. And so sometimes people just leave their car wherever across the city and then just take the bus back and forth to their car. Host: Yeah, I I guess that makes sense because I've I've been to California quite a bit and I would see these old RVs parked in random neighborhoods and they seem like they just park there and live in those RVs. So I I understand the problem they're trying to solve. So no worries. Uh, I'm still in Phoenix today. Uh, supposed to be another hot day. I went out for a walk yesterday. It was like 118, but uh, I it cooled down I think to 111 when I walked. It was a little bit later, but still pretty hot. Guest: A nice cool temperature of 111, perfect for a walk. Host: Hey, it's a dry heat. I was in New Jersey not too long ago and it was like 95 and 99% humidity, so that felt hotter to me than than here. Guest: Yeah, Phoenix doesn't feel too bad. If you're out of the sun, it feels quite nice actually. Host: Yeah, the sun is definitely intense, yeah. Host: Awesome. So let's uh, dive into this civil cyber fraud initiative which is DOJ's initiative to use the False Claims Act to really, uh, pursue vendors and contractors that misrepresent their cyber cybersecurity protections. Uh, and and in particular in healthcare. Uh, what are your, what are your, what is your thoughts like why we're moving this direction and how come we haven't been doing it, you know, more diligently in the past? Guest: Cybersecurity is still a pretty new industry as far as things can go and it's so rapidly evolving. We even look at the addition of regulatory requirements around cybersecurity was only two years ago. So this is a fairly new industry and it's so rapidly evolving. I think that, you know, governments around the world are trying to figure out ways to get on top of it. And unfortunately regulation moves a little bit slower than some industries such as cybersecurity. So it's an especially hard problem to solve. What we're trying to do now is bring some enforcement to an actual consequence, an actual punishment if cybersecurity standards are not adhered to. Uh, when going through different processes, trying to certify, for an example, if you're, you know, getting a car sold in America or getting a medical device sold in America or industrial control systems and automation systems, these all have different cybersecurity requirements that are constantly getting more and more strict and evolved, especially in healthcare. And if these are violated, now there's going to be an enforced actionable punishment against the companies that knowingly violated best cybersecurity practices.

1 / 6