Episode 407

#407: Cybersecurity in MedTech: FDA Compliance, Patient Safety & the Hidden Risks You’re Missing

Christian Espinosa, founder of Blue Goat Cyber and leading voice in medical device cybersecurity, joins Etienne Nichols to unpack the urgent and often misunderstood topic of cybersecurity in MedTech. From FDA’s 2023 regulatory overhaul to real-world hacking scenarios that could harm patients, Christian provides practical advice for innovators, RA/QA professionals, and software teams. He also shares why waiting until the last minute on cybersecurity could cost startups millions—or even kill a project entirely.

Whether you're a quality professional trying to build compliant systems or an innovator racing toward FDA submission, this episode lays out exactly what you need to know to stay ahead of cyber threats and within regulatory guardrails.

Key Timestamps:

  • 00:01 – Intro to guest Christian Espinosa and Blue Goat Cyber
  • 06:28 – Why medical device cybersecurity is different from traditional IT security
  • 11:49 – Real-world hacking example: acne laser device turned skin-burner
  • 13:57 – FDA expectations post-September 2023: what changed
  • 17:12 – Secure boot: a microcontroller mistake that derailed a launch
  • 20:35 – Common cybersecurity vendor mistake MedTech companies make
  • 23:40 – SBOM: Software Bill of Materials and why it's legally critical
  • 27:58 – Cyberattacks in hospitals: assuming a hostile network
  • 35:44 – AI in medical devices: data bias and cybersecurity challenges
  • 41:10 – Developers ≠ cybersecurity experts: the training gap nobody talks about
  • 45:20 – What RA/QA professionals need to know now
  • 49:30 – Why cybersecurity must be iterative, not a final-phase add-on
  • 55:20 – Espinosa's final advice for MedTech professionals
  • 57:52 – The story behind “Blue Goat Cyber”

Standout Quotes:

“Cybersecurity for medical devices isn’t about data breaches—it’s about patient harm. You could paralyze someone or misdiagnose sepsis. This isn’t theoretical.”
— Christian Espinosa, on the real risks of insecure devices

“Most developers don’t understand cybersecurity. We assume they do—but that’s like expecting an architect to be a locksmith.”
— Christian Espinosa, on why so many devices fail security assessments

Top Takeaways:

  1. Cybersecurity isn’t just about data—it's about patient safety. From burning skin to missed sepsis diagnoses, vulnerabilities in devices have real-world harm potential.
  2. FDA now requires more than just a basic security plan. Post-September 2023 rules mandate testing (SAST, DAST, fuzzing), SBOMs, and risk assessments tied to patient harm.
  3. Start cybersecurity planning during the requirements phase. Hardware like microcontrollers must support secure boot and other protections—retrofits can cripple product plans.
  4. Iterate cybersecurity like any core development activity. One-time testing near submission is too late; build security into your pipeline just like QA or usability.
  5. Traditional cybersecurity vendors aren’t enough. Many fail to meet FDA’s nuanced expectations for medical devices, causing costly submission rejections.

References & Resources:

MedTech 101 – Understanding SBOM (Software Bill of Materials):

Think of an SBOM like a nutrition label on food. Just as you want to know if a product contains allergens or preservatives, FDA wants to know what libraries and components are in your software. A clean, complete SBOM identifies both security vulnerabilities and potential licensing conflicts—like borrowing ingredients you’re not legally allowed to use. Want a visual explanation? Consider a flowchart showing third-party libraries linking into your main software repository, flagged with vulnerability scores.

Poll Question:

Is cybersecurity currently integrated into your product development process—

A) From Day 1

B) Only near submission

C) We outsource and hope for the best

D) What cybersecurity?

What’s your biggest challenge when it comes to building cybersecurity into your product lifecycle? Email us your thoughts at podcast@greenlight.guru.

Feedback:

If this episode sparked new insights or raised questions, we’d love to hear from you. Send us your feedback or suggest a topic at podcast@greenlight.guru. We personally respond to every email and appreciate your ideas for future guests and discussions.

Sponsored by Greenlight Guru:

Most companies spend more time preparing for audits than in the audit itself. Greenlight Guru Quality lets you link cybersecurity and quality evidence directly to requirements, making you “always audit-ready.” Learn more at www.greenlight.guru.

Transcript

Etienne Nichols: Welcome to the Global Medical Device Podcast where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge direct from some of the world's leading medical device experts and companies.

Most medical device companies spend more time getting ready for audits than they do in the audits themselves. Greenlight Guru Quality organizes evidence by requirement, flags gaps and keeps you ready so you don't have to get ready.

See how Greenlight Guru Quality can help@www.greenlight.guru.

hey everyone. Welcome back to the Global Medical Device Podcast. My name is Etienne Nichols. I'm the host for today's episode and with me today to talk about cybersecurity and FDA regulatory compliance as cybersecurity relates to medical devices is Christian Espinosa, who is a leading cybersecurity expert, best selling author,

and the founder of Blue Goat Cyber, Blue Goat Cyber, which is a company specializing in medical device security and FDA regulatory compliance. With a background in cybersecurity engineering and leadership, Christian has helped numerous medtech innovators navigate complex cybersecurity challenges while ensuring their devices are secure and FDA compliant.

He's also the host of the Medical Device or the Med Device Cyber podcast. We'll put a link in the show Notes to that where he educates manufacturers, cyber security professionals and regulatory experts on the ever evolving threats to medical devices.

Christian is a veteran, a 24 time. 24 time Iron man finisher. Did I get that right?

Christian Espinosa: That's correct, yeah.

Etienne Nichols: And a keynote speaker known for his work in cyber security leadership and high performance coaching. So I feel like there's lots of things we could talk about, Christian, but first of all, how are you doing today?

Christian Espinosa: Doing pretty good. Just got back from Dubai, a conference. Feel like I'm getting a little cold. But you know, this is what happens. Sometimes you travel on a plane for like 60 hours.

I think it's about 30 hours, door to door each direction.

Etienne Nichols: Amazing. Yeah. How was Dubai anyway?

Christian Espinosa: I. I love Dubai. Dubai is like probably my favorite city in the world. I love Dubai. I really want to expand my company and get a presence over there. I think they have a really good vision for the future.

Things are very planned out and it's very progressive and everyone's very collaborative. It's, it's, it's. Yeah, it's awesome.

Etienne Nichols: So of all the cities, that's your favorite? Is there one particular thing that stands out or is it just what you already said?

Christian Espinosa: I think what I already said and I also the variety of things to do, you know, they, they Want to have the. The best and biggest of anywhere in the world.

So, like, they have a cool go kart track. I went on and drove on. I was going to do an F1 experience where you get to drive a Formula 1 car last time I was there, but it got canceled because there apparently was a mechanical problem with the car.

But, like, things like that, you can't just do anywhere, you know, so it's. It's cool.

Etienne Nichols: Yeah, yeah, it's on my list. One of these days, when you get that, that when you expand out there, maybe I can visit you for work purposes. That'd be good for sure.

If we're going to talk about cybersecurity threats. Oh, and I didn't mention your two books that you've written as well. I'll just throw those out as well. I know you've written two books.

I have not read them myself, personally. I was looking at them before the interview, but one on developing that emotional intelligence for those who are smart in the room. Engineers.

I, you know, suffer from the same thing. Sometimes I want to be the smartest person in the room. It's not always the best situation. But I don't know if you wanted to just touch on your two books before we get rolling?

Christian Espinosa: Yeah, sure. My first book is called you're the smartest person in the room.

And it's really about my first company and my entrepreneur, entrepreneurial journey with that company. Because I had a lot of challenges. And when I pulled back the curtain, I realized that 99.9% of my challenges were because my staff lacked emotional intelligence.

And in our industry, cybersecurity,

everybody wants to feel significant, but in our industry, people typically get their significance by being,

quote, smarter than somebody. So this shows up with talking over somebody's head, waiting for an opportunity to tell someone they don't know what they're talking about, which results in poor client relations and poor collaboration.

So I wrote that book to try to solve that challenge.

Etienne Nichols: Wow.

Christian Espinosa: I did solve it in my company. And what. What worked is what went into that book. Yeah.

Etienne Nichols: And that's okay. I have to ask now, how would you. How did you solve it in your. In your company?

Christian Espinosa: I had to establish core values. That was one thing. I used to think core values were kind of bogus. Like, integrity, like, everyone should have certain things. Right. But I realized, like, the challenge I had with people were because they.

There's a core value alignment problem. Like, I believe in ownership, for instance. That's one of our core values. I believe in a growth mindset. So that's one of the core values.

So I added those. And then I really worked hard to fix the culture.

So what I mean by that is, once I established core values, I rated people on those core values. So it wasn't just how good they were at their job as the cultural fit.

And some people I had to let go. And then when I hired new people,

I hired them based on core value alignment first and emotional intelligence first. And only if they pass that, did I bother to look at their technical skills. Yeah, like their, you know, degree or certification or qualifications.

In the past, though, I looked at the degree, qualification, certification. I looked at all that stuff first and it kind of like didn't even bother with the other stuff. So I flip.

I flipped the script on that.

Etienne Nichols: Was that scary?

Christian Espinosa: It was.

Etienne Nichols: I mean, let me. Let me clarify. I would think letting those people go seems like you knew it would work, I suppose, but seems.

Christian Espinosa: Well, as a leader of an organization, you have to enforce the culture you want to create. Otherwise it drifts drastically and pretty soon it'll be a toxic environment. Especially if you have people that are always posturing as the smartest person in the room and looking for ways to make other people feel small because they're not as rationally intelligent.

And that's. That's what I had. I had a couple individuals like that that just did not want to change. Their ego was too aggressive, I guess.

Etienne Nichols: Yeah. I'm just impressed that you would say, okay, this is how we're going to fix this problem. And if you hit. Your historic way of doing it was this way and you had some.

Sounds like some level of success doing that, completely changing that seems. Seems like it would have been intimidating. But that's impressive that you went for it and succeeded. That's awesome.

Christian Espinosa: Well, thanks. Yeah, it was intimidating. I had to do the work myself too, because I realized that I had a lot of growth to do as well.

Etienne Nichols: Yeah. Your second book, let's just go ahead and hit on it. Why not?

Christian Espinosa: The second book is. I got a copy right here, actually. I'm using it to hold on my mic.

The second book is the In Between Life and the Micro. It's really a focused memoir about where I've got things right and where I've got them wrong. Because I'm. I have a tendency, I.

I had a tendency, I still have a little bit of it, to get like super focused on a macro goal like the Ironman Triathlon or whatever it is. Like I have to accomplish this big thing and I would convince myself that that goal was so important that the things right in front of me,

like my relationship was like secondary, or my health was secondary or my finances were secondary. Like I just had these blinders on. And what ignored things is things fell apart right in front of me because I didn't pay attention.

So the book is about me kind of unraveling that and realizing that I need to have a better balance. Because the reality is, if I would have paid more attention to the moments right in front of me, which I call the micro moments, some of those big goals I was going after,

I probably would have realized, like, I don't really care about that goal as much anymore. But I got so, like, I gotta do this no matter what, right? That was like my blinders.

And that no matter what, you know, Unfortunately, a lot of those things became realized in relationships, like I said, fell apart and other things happened. So just striking that balance.

Etienne Nichols: Yeah. That's awesome. Well, we'll put links in the show notes to those if anyone's interested. I suppose at some point we should talk about the topic that we wanted to talk about today, which is medical device and cyber security.

And one of the things that I suppose I'd be interested in hearing your take on is, is what makes medical device special when it comes to cybersecurity.

Christian Espinosa: I think there's this general, this misconception that cybersecurity is cybersecurity. Like, if you're a cybersecurity professional, you know everything about cybersecurity, but it's very nuanced. And with like traditional cybersecurity,

we're typically concerned about protecting information.

Like, we want to make sure your credit cards aren't stolen. Like with hipaa, your phi protected health information is not stolen. With medical device cybersecurity, it's like a little bit different lens.

We certainly care about the information, but that's almost secondary to, like, if we were to attack this device and compromise it, what is the effect we could cause to a patient?

If it's a surgical robot, can we, you know, paralyze a patient? If it's a laser acne treatment, can, could we burn the patient?

If it's a in vitro diagnostic system, can we give a misdiagnosis or false diagnosis or miss something like sepsis? So it's really not so much about the information disclosure, which is traditional cybersecurity.

It's more about the lens of what harm can happen to a patient, which to me is much more severe, much more impactful, because we're talking about people's lives.

Etienne Nichols: Yeah, that makes sense. Do you. And I, I can think of a few examples, maybe specifically, but I wonder if you have any specific examples that you. That come to mind.

Christian Espinosa: Yeah, we, we've worked with probably 150 different devices over the years,

and one of them we worked with and a lot of people don't think about these kind of devices, but it's used in a med spa and it's used to treat acne.

So it has a laser that kind of burns the acne, but it has a cooling mechanism as well. We were able to hack into that device, turn off the cooling mechanism and turn up the laser.

So if they actually treated somebody, it burned like the hell out of their skin? Basically.

Etienne Nichols: Yeah.

Christian Espinosa: So it's. And then people. But people don't think about like a medical device in a med spa used for acne treatment.

So that's one of them. Another one, we've worked on in vitro diagnostic systems where we were able to compromise the system and cause it to give a true negative or a false negative when there's actually a true positive result.

So if somebody had sepsis and this device was supposed to show they had sepsis, it would say they did not have sepsis. And you know, with sepsis your blood is toxic.

Every, every minute counts. That patient could die. So, you know, there's been some pretty severe things we've looked at.

Etienne Nichols: Yeah, I know that medical or cybersecurity has changed over the last few years. Well, I say that the FDA seems like they've ramped up some of the requirements for cybersecurity. And you know, there's a lot of things in medical device, the medical device industry where we say, well, you've gotta,

you gotta start at this point. You gotta start at that point. You know, greenlight guru is in quality management system pretty heavily and, and we have certain ideas as to when you should start building that out.

I'm curious, when it comes to cyber security,

is it something that you can go back and just kind of patch on top of or. Or are there.

Christian Espinosa: What.

Etienne Nichols: When should you start building cybersecurity into your medical device?

Christian Espinosa: You should start with the requirements and the design. Why is that funny?

Etienne Nichols: That makes sense. That seems. I'm like, well, that makes sense.

Christian Espinosa: Unfortunately,

most people wait until like a couple months before,

like a 510k or PMA or pre market submission before they think about cybersecurity and they try to like bolt it on versus designing into the product.

And when they come to us to help them with the cybersecurity if their submission is like 60 days away and they haven't done anything about cybersecurity, we know we're going to find thousands of vulnerabilities in some cases,

which means they have to fix all those vulnerabilities if they're critical rated or high rated before the FDA in the US will approve their device. And this 99% of the time causes delays and it causes a lot of over budget challenges as well because they weren't prepared for this.

So if they would make the design,

the decision early on to engage someone like my company for cybersecurity, we can help them steer away from these challenges later towards the submission. And a good example is we have one client that came to us at the very end, like 60 days, typically before submission,

they made a design decision to use a microcontroller on their device that did not support secure boot.

The FDA requires secure boot.

So their device,

to get it approved, they had to basically turn off all the functionality and make it standalone. And they had this, this LTE connection, this, you know, cellular connection, they had Bluetooth, they had all these things that plan for this device.

But to get it approved because it would not support secure boot, they had to disable all that stuff. And then the idea is the next iteration, they'll swap out the microcontroller with one that actually supports secure boot.

But we could have helped them navigate all this if they would have talked to us earlier on.

Etienne Nichols: Yeah, that makes total sense. I love that you, I mean, I know I laughed and it's not necessarily funny, but if cybersecurity is a requirement, it should totally start with the requirements.

And I love that example in that the actual hardware is going to have to change in order to support the cybersecurity requirements. That's a really,

that's a pretty powerful example.

Christian Espinosa: Yeah. And that's not a simple change, obviously.

Etienne Nichols: You know, I've heard, and I don't I not being a cybersecurity guy or in that world, I've heard some about the changes with fta. Are there any above and beyond changes you mentioned?

You know, cybersecurity people think cybersecurity is just cybersecurity anywhere. And you gave the examples about how it could hurt a patient. But what about the levels that FDA requires? Are there certain things that are kind of new to the medical device world or any thoughts there?

requirements of September of:

And now to get something approved. You actually have to do a lot of cybersecurity work. You have to do have the software build materials. You have to do static application security testing, penetration testing, fuzz testing, and risk assessment.

All this analysis you have, you now have to do. Before,

cybersecurity wasn't even really on the radar too much. The FDA said you should consider it, but it wasn't like, enforced. So I think now it's caught a lot of people off guard because we have large clients that have 20 different products,

and before they would get the product through the fda, no problem. And now it's like they're getting rejected because all these challenges, they come to us as like, you know, as someone that could help them.

They come to us say, we got this product and it got rejected and we don't know what to do because we thought we were doing cybersecurity. Right. And that's where we step in and they become our client and we help them with that.

So it's really up the ante. And I think the bottom line is,

like, as someone on my team always says, cyber security is like a necessary evil. Like, nobody cares about it unless it's mandated, and now people have to do it, which I believe is a good.

A good thing, especially with when we're talking about patient safety.

Etienne Nichols: Yeah, yeah, I would agree with that. It. I was talking to somebody recently and they were just talking about the number of attacks on their website a day, and it's in the.

In the thousands, and we just don't even bat an eye on that. Yeah, okay. But if you stop and think about that, your website's being attacked that many times a day, and, and I don't know what it is for medical devices, but, I mean, it should be something that we care about and if it's going to impact people we love.

Christian Espinosa: Yeah. And the challenge with medical devices, one of the other challenges is they're deployed in a healthcare delivery organization's network, like a hospital.

And we consider hospital networks hostile networks from the perspective of a medical device, meaning that it's just assumed that the hospital network is already compromised,

which means that that medical device is going to be constantly under attack, just like you mentioned with the web server, because there's already a threat actor on the environment in which you've placed the medical device.

Etienne Nichols: Wow. Yeah, that's. That kind of blows my mind a little bit. So how do you.

Is there a difference in the approach when you have that hostile environment versus maybe another environment?

Christian Espinosa: No, we always assume that from a threat Model perspective that the device is going to be in a hostile environment. Yeah, we can't. I mean, you can do some things like if the device requires physical access,

but you still have to rely on the user of the device to put it in a room that nobody can just walk up to it, for instance. So you have to assume it's going to be.

Your instructions are not going to be followed properly about how to set the device up. And it's just people are going to try to compromise it. That's why with a medical device, we have to look at every entry point into the device.

If there's a thumb drive port, a USB port, an HDMI port, Bluetooth, nfc,

WI Fi, we have to try to attack every single way into it, assuming that somebody will get access to that port.

Etienne Nichols: Yeah.

Christian Espinosa: Or that way in.

Etienne Nichols: Not every company is likely going to engage with a company like your receiver, whether they should or not, but if and when they were. I'm curious what you would say because you, you, you talked about a company that they finally did become a client or whatever, and you have to go back and work on what they,

what they were originally working on. How would you advise companies to move along the, from requirements to that submission level and to determine whether or not they need someone like you?

What's the, what's the prep work that makes your life easier and makes the life easier of all cybersecurity experts?

Christian Espinosa: So we work with a fair number of startups and we have a service where it's like a block of hours for consulting.

So we prefer they start with us for this block of hours, which is not that much. We give them as many hours as we think. It's usually like less than $5,000.

And we can help them with those design decisions and the requirements, such as picking the right microcontroller and then later on when they're getting ready for their submission,

because we offer a full service submission package where we do all the documents and all the testing, we'll give them a discount on that submission package because we already know we're not going to have as many issues.

It's going to be less work for us because we've helped them at the very beginning. So it actually saves them a lot of money if they engage with someone like us sooner than later.

But cybersecurity is also an awareness problem. A lot of people just don't know what they don't know.

Etienne Nichols: Yeah. What's one cybersecurity mistake that medicine, medical device companies usually make that leads to delays or compliance issues in that submission.

Christian Espinosa: The biggest mistake that we have seen is what I mentioned earlier. Like, I think if I'm a medtech innovator, I think cybersecurity equals cybersecurity. So what often happens is the medtech innovator company, the manufacturer will choose a traditional penetration testing cybersecurity company.

So they'll run their traditional test, which doesn't meet the requirements for the fda. So then the manufacturer will submit the report and everything, and the FDA kicks it all back and says, wait a minute, you didn't do this.

This, this, this. Your risk matrix doesn't consider patient harm. It doesn't look at exploitability. You know, there's all these things that are unique to medical device testing that traditional cybersecurity companies don't do.

So then what happens is, is that manufacturer, once they get all these deficiencies from the fda, will reach out to us to address all the deficiencies. And we know what we're doing because we work with the FDA all the time.

So I would say that's probably one of the biggest things we see all the time. We see deficiencies because a manufacturer chose a normal cybersecurity vendor which doesn't really know anything about medical devices or regulatory affairs or the fda, and they did their best to test the device and provide reports,

but it's not sufficient.

Etienne Nichols: Yeah. Hmm. Interesting.

being a big deal out of that:

Christian Espinosa: SBoM has for some reason been a controversial topic with our clients. The SBOM is the software bill material. So if I create a product, I borrow bits of code and third party libraries from other places to put into my product.

But some of those third party libraries or some of that code I borrow might have a vulnerability. And this has been demonstrated by like shell shock and all these different attacks that affected many, many devices out there.

But the device manufacturer didn't even know that they had the vulnerability because they didn't understand that bill of materials. So the idea is to have a complete bill of materials for your device and to look at all the vulnerabilities on there.

And this bill of materials should be publicly available. Someone should be able to look at it because they, as a consumer, I should be able to see what other software makes up this product I'm buying.

But a lot of our manufacturer, a lot of manufacturers we deal with, they don't want to make that public. They think it's like someone can steal their source code or reverse engineer their code, but that's not true.

The SBoM is just the libraries that make up your software that are composed of. That your software is composed of.

So the one issue is the vulnerabilities that are in those libraries and fixing those.

The other issue is that a lot of people overlook is licensing. And this could be an actual bigger issue if you're concerned about intellectual property. But if you use a third party library that you're not technically licensed to use,

or the license agreement could say, at any point in time, if you use my library, I can ask you to make your closed source code open source. Now, that reveals somebody's intellectual property.

So it's not just the vulnerabilities in the third party library. It's also the liability and the vulnerability that the company, by misusing or not fully understanding the license agreement, may have to disclose of their source code.

Etienne Nichols: Wow. Yeah. I never would have thought about the almost litigious nature of building out an S bomb. That's really interesting. Yeah,

that's one of the things that I saw just from my lack of knowledge, really from cybersecurity standpoint of evolving medical devices requiring that SBoM for a lot of devices that may not have considered themselves a software medical device still required to build out an S bomb because they did have that connectivity and so on.

Christian Espinosa: Well, I think, yeah, like if I'm going to buy a car, I have a right to know who makes the brakes in the car, who makes the spark plugs. I have a right to know the bill of materials for the vehicle.

And I think if I'm going to buy a medical device, I have that. Same. Right.

Etienne Nichols: Yeah.

Christian Espinosa: And yeah, because I. There's a whole push in the FDA to have transparency.

So I can't have full transparency if I'm hiding all the components that make up my device that are open source. Right. So we need to like be able to disclose those.

Etienne Nichols: Yeah, that makes sense. I mean, it's almost like the ingredients on a can of WD40 or, or maybe some, maybe a better example would be food that you eat. You want to know the ingredients.

Doesn't mean you can actually recreate, you know, hot sauce, Louisiana hot sauce. But you see, you want to know everything that's in there.

Christian Espinosa: That's exactly right. It's a good analogy.

Etienne Nichols: What about, what about the future of medical device? I mean, we've seen some of this changes in the last couple years and now we've seen this year administrative changes at the FDA level and so on.

And the market seems to be a little bit, in a little bit of turmoil regarding some of those things. But what about from a cybersecurity and FDA compliance standpoint? Do you see any movement or changes, maybe even from an AI standpoint?

I'm curious what your thoughts are.

Christian Espinosa: Yeah, we see AI coming out more with devices. There's a lot of AI software as a medical device that do sort of, sort of image enhancement like with ultrasound or mri.

And what is a concern now is the model, the AI models and how they're being trained and how they're being protected.

Like an IVD system. We've worked with some of those that have AI. If it's not trained properly, it can give misdiagnosis. So if you feed like an IVD system, you know, a million images of a cancerous tumor and 100 of a non cancerous tumor, the model is gonna be predisposed to say it's cancerous.

Right?

Etienne Nichols: Yeah.

Christian Espinosa: So we just have to be very careful about how we train these models and where we get the data to train the models and that it opens up a whole can of worms too.

Because this data is not wildly available. Like in some countries, it's hard to get the data. So now I'm only training the model with, on data from people in the United States or data from people in Europe.

Right. So it's, we can't actually accurately train a model without the right diverse data sets. But it's hard to get this intelligence from other countries when they don't have a system that shares like you know, the, the, the bacteria or the cancer diagnosis or the, the data on that.

So it, it makes the models very biased at some point as well.

Etienne Nichols: Yeah. It seems like you're almost compounding the knowledge that is necessary as well when you have to go those cross cultural barriers where if you have completely. I use the example of maybe a, the blood,

oh, blood oxygen sensor across different skin tones, for example, and how to determine that and to distinguish between those things. I mean you're, you're kind of laying on new requirements almost when you really diversify across a broad spectrum, I would expect.

I mean, it's just kind of me trying to feel my way through that problem.

Christian Espinosa: Yeah, it's that. And then there's, that's like how to program the AI model and train it. But there's also, from a cybersecurity perspective, the different attacks on a model, you know, we can inject, we can throw it Tons of garbage data and it's going to throw garbage out or misdiagnosis.

We can try to evade the model and get through it. So I mean, there's lots of different attacks as well. So it's,

it's, it really is a complex layer that there are lots of benefits, but there's also lots of downsides if we don't manage it properly.

Etienne Nichols: I am curious, and this is me just following my curiosity. We talk about threats and we talk about all the different ways that things can be attacked. I, I never really talk about where these are coming from or what's being done about that end.

I don't know if you'd be able to touch on that. We can, we can move on if you'd rather not. But I'm just curious about that.

Christian Espinosa: So there's,

there's two main, two main categories.

One is a directed attack and one is a non directed.

Like 99% of the stuff that's going to hit a medical device is non directed. That means it's malicious software propagating the Internet, propagating the hostile hospital environment.

And if it finds a vulnerability, it's going to latch onto it and install ransomware, do whatever the threat actor is trying to accomplish. So usually they're doing something to make money, which is ransomware, typically.

So that's non directed and that's just going all the time. Like I've stood up a server in AWS before and then within like one minute it's been hit like 8,000 times by people trying to break into it.

And I just put it up there, right? So this is the magnitude of these attacks going on. And most people don't think about it, but they're, it's like people are constantly trying to get into your car.

You know, they're walking to the parking lot, checking every door and if your door is unlocked, then they're going to get in your car, right? So that's how it is.

Times like a million in the cybersecurity world. We just don't see it because it's virtual. So that medical device that's deployed, it's going to be attacked over and over and over and over.

And if it has a vulnerability, it's going to be compromised. So that's non directed. The other one is directed. This is where a malicious actor is intentionally targeting somebody. An example of this was like **** Cheney, the vice president, quite some time ago, he had a pacemaker and a defibrillator.

There was a legitimate threat that someone could wirelessly connect to his defibrillator and shock him to death. So he had the wireless feature disabled on his pacemaker. But that was a nation state directed attack against a specific target versus stuff just propagating the Internet, which is the non directed attacks.

Etienne Nichols: Yeah. Wow, that's interesting. Yeah,

it's amazing to me how much there is out there, but I really like that example of somebody go through in the parking lot, just checking every door and if yours is unlocked, I mean, it's going to happen.

That makes sense. Where do you see medical device requirements or medical device cybersecurity requirements evolving, like in the next five or ten years, any, any changes you see coming?

Christian Espinosa: Well, since the FDA has made the changes and other areas have followed like mdr, I think the requirements are going to improve from a cybersecurity perspective and the controls are going to improve.

I still think though, we're going to have the same challenges where people wait to the last minute, because from my experience, and I've been doing this for like 30 years,

is software developers do not understand cybersecurity. And a lot of people assume that this technical developer understands security, but that is not the case. Maybe 1% of the developers I've met understand cybersecurity.

So until we solve that problem, which is further down, like at the root, we're going to continue to have this problem. Because the bottom line is software developers develop sloppy code from a security perspective.

And it's not their job necessarily to break into their device, it's their job to build the device. But it's our job as penetration testers and hackers to break into the device and make it do things it wasn't intended to do,

things it wasn't intended to do. Whereas the developer, their job is to make it do what it's supposed to do from a functionality perspective. So there's different skill sets. But until we close that gap, I think, you know, five years, 10 years down the road, nothing's going to change.

Yeah, it's still going to be sloppy code from a security perspective and people are going to wait to the very end and then we come on and try to bolt cybersecurity onto something.

I think we're slowly progressing where people actually consider cybersecurity at the design and the requirements point of view. But you know, I, like I said, I've been doing this for a while and this is like very slow changes.

Etienne Nichols: Yeah.

How do you, how do you see, like if I was a, the owner of a medical device company and I have a software team, they're Working on it.

Outside of having a company come in and kind of go through and look at our requirements, add some of those requirements, evaluate some of the software related hardware and firmware, what would be the answer to close that gap besides just hiring a cybersecurity expert in?

Is there?

Well, maybe that's an option. What do you think would be the solution to close that gap if you could do anything?

Christian Espinosa: I think a solution to close the gap. If I am the person with the idea and I'm outsourcing my product to be developed by someone,

the solution is to ask them how they develop software, ask them how they do their CI CD pipeline, and ask them if they do secure software development. And ask those questions beginning.

Because the answer will probably surprise most people. Because the answer is typically they don't know what you're talking about when you say secure software development. But if you can find a software development company that actually has a process where they develop the software, they test it for security, they develop it,

test it like some iterative process where it's gated and it's a pipeline that has security built in, that's the company to choose to develop your, your software. So I think a lot of it is just having that awareness of what questions to ask.

Because typically if you ask a better question, you get a better answer. Right? But often we don't know what question to ask.

Etienne Nichols: Yeah, our audience is primarily composed of quality and regulatory professionals. And I wonder what advice you would give to them that they would benefit from knowing about cybersecurity when it comes to their roles in quality, whether it's quality assurance, building out their quality management system, et cetera.

And the regulatory professionals who are working directly with product development, et cetera, what are the things that they need to know about cybersecurity that would make their lives easier and better?

Christian Espinosa: We work with a lot of raqas as well. I think one of the things that needs to be understood is it's going to take much longer than you anticipate. You know, just like we're used to biocompatibility studies, animal study, what sterilization studies, all these other studies that take a long time.

Cybersecurity should be linked in there too. To take a long time. I think in the past it was kind of an afterthought because it really wasn't enforced. But now I think if I was an RA or qa, I would, I would want to make sure on my timeline for a submission,

I consider cybersecurity going to take six months at least. Because the assumption is whoever we hire to do cybersecurity is gonna find things that are broken, find vulnerabilities. And the longest part of this process for us is how long it takes the client to fix the things we identify.

We have one client in Europe that we found 6,000 vulnerabilities. Cause they waited last minute, it's been almost a year, and they still haven't fixed those 6,000 things. And they're getting frustrated.

They're like, we're just going to submit it to the fda. And we're like, you can do that, but it's going to get rejected because the FDA wants to see evidence that you fixed the things and mitigated them.

So if they would have started earlier, like in that requirements or design phase, we could have helped them ward off those 6,000 vulnerabilities, which doesn't sound like a big deal.

But if you're a company trying to bring something to market and it's delayed for a year, your investors are going to get ****** off at you, your time to market is dwindling, and it's very costly.

Right. And in some cases, we had a couple companies that after we tested their stuff, there were so many vulnerabilities, they decided to abandon the project. Wow, this is like, this is like four years of work of someone's life and you forgot about this the last minute.

Now you're just going to abandon the project. But like, yeah, we can't afford to fix these things.

Etienne Nichols: Yeah, yeah.

Christian Espinosa: So it's a, I would say sooner than later. It's going to take a long time. And it is a bigger problem than most people realize.

Etienne Nichols: Could you kind of walk through the.

When? I mean, ideally you would have cybersecurity people working alongside the project the entire time. I almost look at it like you mentioned those sterile, sterility, biocompatibility, et cetera. You have to design that into the project.

So, I mean, you really, it's part of the product and it's not just something you. I'm going to put in the requirements, I'll test it later. It's, I mean, it's part of the product.

But that being said, those are a little bit easier for me to understand. I, I, I put those on into the product. We've chosen materials. I mean, microprocessor might be a good example, but we've chosen the materials that are the biocompatible, et cetera.

And we worked through the product testing and now we get to this other testing, which is sterility, biocompatibility Would you equate it kind of similarly like, now I put it in the hands of a.

For verification and validation for cybersecurity or what does that process actually look like?

Christian Espinosa: The process is a little bit different than what you described. That's more you have this block of time. You work on sterility or biocompatibility. With cybersecurity,

I think it needs to be iterative.

So you have your team that's developing the software.

At various points of that development, we should do the testing. That way we don't wait to the very end and find those 6,000 things. We might find 15 things towards the beginning iteration of testing that we can have them fix those root issues and later the code is better next time we test it.

So it should be an iterative approach versus a block of time where we do this one thing. And the iterative approach could be like once a quarter our cybersecurity organization test our software as it's being developed and that'll ward off a lot of the challenges as well.

Etienne Nichols: That's helpful. Okay, I'm glad I asked. Even though my example is wrong, I'm even more glad because of that. So that's great. What's one piece of advice that you give medical device professionals?

Ensuring cybersecurity and medical devices. Just one piece of advice to give.

Christian Espinosa: The medical device professionals.

Etienne Nichols: Yeah. As it relates to cybersecurity and so.

Christian Espinosa: On,

I think it's.

I mean, medical device professional is a big audience. If it's like an innovator or an investor, which are two of the biggest in the ecosystem that are bringing a product to market,

I think it's extremely important to take ownership of cyber security. A lot of people just like to tune out when they hear cybersecurity. But if I tune out and don't pay attention and it's not on my timeline, it's not funded for, then it's going to cost me a lot of money and a lot of time and,

you know, maybe some embarrassment or whatever else. So I think taking ownership of it, it's no different than a small business owner. I think they should take ownership of cyber security, at least learning about it enough where you can make intelligent decisions.

Because a lot of people with small businesses tune out as well. Like, oh, I don't understand that. But just like you have to understand marketing or sales or insurance or human.

Human relations or hr, you probably should understand a little bit about cyber security, but people across every industry tend to just tune out about it. I think that's Largely related to what I wrote my first book about where in the industry of cybersecurity we've overly complicated it with all these acronyms,

all this complicated frameworks. It's actually a lot simpler. The problem is most people don't know how to explain it in simple terms. So when we start talking to a cybersecurity person, it's like at a cocktail party, nobody wants to talk to that person because they're going to start talking this robot talk,

someone used to say, and it's like 12 sentences with all acronyms. And you're going to be like, I don't even know what they just said, but I don't want to talk to that person anymore.

So it. We have to improve how we communicate in cyber security. But we on the flip side, as a professional, we need to take some ownership and learning, learn, learn about it, you know, is not as much as we can, but enough to be effective at our decision making.

Etienne Nichols: Yeah, I think the medical device industry in general sort of shares that same issue that you described about the cocktail party. I mean, what, you know, why are we making this so complicated?

It's their devices, but we have to make sure they're safe and effective, and that's the layer that that is required.

Really good conversation. I appreciate you explaining all these things and putting up with me what I consider myself a layperson when it comes to cybersecurity, but you actually inspired me.

I mean, the. I'm not going to lie, the analogy with the person walking through the. The parking lot, just checking every door, is just really ringing true with me. So that's really maybe inspired me a little bit to look more into it even.

Where can people go to find you and what you're doing?

Christian Espinosa: They can go to my company page. Bluegoat cyber.com. okay. LinkedIn. LinkedIn's a good place. Yeah, we have some content going out like every single day. We have short videos going out every day.

And yeah, we started to talk about.

Etienne Nichols: This when I visited your podcast, but I don't know that I. That you told me why. Blue Goat Cyber. What's the. What's the main name mean?

Christian Espinosa: So I climb mountains. I've done two of the seven summits.

There's the highest peak in every continent. And when I climb mountains, I always see goats way up in the mountains, and they're always trying to get to, like, the next level.

And sometimes you see them on these very precarious cliffs. So I like the fact that they're very persistent, they're agile, they're always trying to level up. I think those are good traits for a company.

Goats are a little bit stubborn, too. That might be a good trade for a company. I'm not sure. And then when I'm in the mountains, the mountains are beautiful, like white snow and the blue sky.

I find the blue sky very tranquil and peaceful in the mountains. So that's why Blue goat.

Etienne Nichols: Yeah, no, I like it. I. I've gotten the advice in the past that if you ever start to get overwhelmed or not understanding things anymore or just not sure which direction to go, get to a high place.

Puts things in better perspective. And I don't know if that's true for you, but I found that to be true for me.

Christian Espinosa: Yeah, I, I call that condor vision. Like in, in life,

it's good to zoom out and look at, look at your life from a bigger bird's eye view, really, and see where you are. And then you can maybe see the obstacles and get a different perspective on it.

Yeah, a hundred percent.

Etienne Nichols: Well, maybe in another podcast on another topic, we could go into all these other things. These are interesting to me. So you, you seem like a. A wealth of experience and just.

It's really interesting. So really appreciate you taking the time to talk with us today. Christian.

Christian Espinosa: Yeah, thanks so much for having me on, Etienne.

Etienne Nichols: Those who've been listening, thank you so much and we will see you all next time. Take care.

Thanks for tuning in to the Global Medical Advice Podcast. If you found value in today's conversation, please take a moment to rate, review and subscribe on your favorite podcast platform.

If you've got thoughts or questions, we'd love to hear from you. Email us at Podcast at Greenlight Guru. Stay connected for more insights into the future of medtech innovation. And if you're ready to take your product development to the next level, Visit us at www.greenlight guru.

Until next time, keep innovating and improving the quality of life.

About the Podcast

Show artwork for Global Medical Device Podcast powered by Greenlight Guru
Global Medical Device Podcast powered by Greenlight Guru
The Global Medical Device Podcast, powered by Greenlight Guru, is where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts ...

About your host

Profile picture for Etienne Nichols

Etienne Nichols

Mechanical Engineer, Medical Device Guru, and host of the Global Medical Device Podcast