To help clear the air, we sat down with Christian Espinosa, CEO and Founder of Blue Goat Cyber, at the MedTech World Asia 2025 conference in Singapore. In a candid “Mythbusters” session with Shara Layton from MedTech World, Christian tackled the biggest cybersecurity myths holding back innovation in the MedTech industry.
Myth #1: If It’s FDA Approved, It Must Be Secure
The first myth Christian debunked was the notion that if a medical device is approved by the FDA, it must be secure from a cybersecurity standpoint. As he explained, “FDA approval just means you’ve met the minimum requirements for the FDA, but there are still additional things you should do.”
In fact, Christian pointed to a recent case where a company “basically falsified their submission to the FDA” for a genetic sequencing device. “They got approved and then a whistleblower came forth to say they falsified the submission and this device…was really not secure at all,” he said. “So there was a false assumption that it’s secure because people can slide things through the FDA to get approved without actually doing the security.”
The takeaway is clear: FDA approval is not a guarantee of cybersecurity. Medical device manufacturers must go above and beyond the minimum regulatory requirements to ensure their products are truly secure.
Myth #2: Hackers Don’t Target Medical Devices, They’re After Banks
The second myth Christian debunked was the idea that hackers aren’t interested in targeting medical devices, and are instead focused on attacking banks and other financial institutions.
“Hackers often don’t target anything specifically,” he explained. “They have malicious software that is propagating the internet looking for a vulnerable target. And if the vulnerable target happens to be a medical device, then that device is going to be compromised often with something called ransomware.”
The reason medical devices are attractive targets, according to Christian, is that they are often connected to hospital networks, which he described as “a hostile network” that is “always under attack.” Hackers know they can hold these critical devices for ransom, forcing hospitals and patients to pay up in order to regain access and functionality.
So the reality is that medical devices are very much in the crosshairs of cybercriminals. Manufacturers and healthcare providers can’t afford to be complacent about security, assuming they won’t be targeted.
Myth #3: Only Hospitals Need to Worry, Not Device Manufacturers
The third myth Christian tackled was the idea that only hospitals need to worry about medical device cybersecurity, not the manufacturers themselves.
“Device manufacturers need to worry because if there’s an issue with their device, somebody hacks into let’s say a surgical robot and that robot causes somebody to be paralyzed or kills a patient, who do you think is going to be liable?” he said. “It’s going to be the hospital a little bit, but it will go back to the medical device manufacturer as well.”
Beyond the legal liability, Christian also pointed out that compromised devices can severely damage a manufacturer’s brand and business. “It’s not going to be good for their brand if their devices are compromisable, which will hurt their business as well,” he explained.
The bottom line is that medical device manufacturers have a critical responsibility to ensure their products are secure. They can’t simply pass the buck to the hospitals and healthcare providers using their technology.
Myth #4: AI Will Solve Cybersecurity Risks Automatically
The fourth myth Christian debunked was the notion that artificial intelligence (AI) will automatically solve cybersecurity risks in the medical technology space.
“AI, we like to think it will help with cyber security, but it actually introduces a lot of issues with cyber security,” he said. “The reality is it’s kind of like AI versus AI. The people trying to defend their environments utilize AI, but those trying to attack the environments also employ AI. So, it’s basically which group is better at training AI, the attackers or the people producing the product and the people trying to defend their device?”
Christian pointed to a real-world example to illustrate the dangers of over-relying on AI in healthcare applications: “There was a case not too long ago where, with a counseling app or therapy app a suicidal patient was getting counseled by the AI chatbot, and at some point the AI chatbot told the patient to go ahead and kill themselves. The patient killed themselves, and now the family is suing that company because we like to think about AI in terms of when it gets things right, but not when it gets things wrong. But in a medical device or healthcare use case, when it gets to something wrong, the consequences can be pretty dire like the one I just mentioned.”
The key takeaway is that while AI can be a powerful tool in the fight against cybercrime, it’s not a silver bullet. Medtech leaders must approach AI-powered security solutions with caution and a clear understanding of the risks.
Myth #5: Cybersecurity Slows Down Innovation
The final myth Christian debunked was the idea that cybersecurity slows down innovation in the medical technology industry.
“The lack of cybersecurity slows down innovation,” he said. “And that that’s a good myth because people often think that but from our experience when medical device manufacturers don’t consider cyber security and they try to do a submission then it’s slowed down because they have to go try to retroactively add cyber security to their device whereas if they would have designed it in their device at the beginning it would have actually sped up their time to market.”
In other words, proactively building security into the design and development process can actually accelerate a medical device’s path to market, rather than slowing it down. Trying to bolt on security after the fact is what really creates delays and complications.
The Path Forward: Awareness, Accountability, and Proactive Security
Christian’s myth-busting insights underscore the pressing need for greater awareness, accountability, and proactive security measures in the medical technology industry.
As he noted, “I feel like it’s an awareness challenge in Metech.” Too many medtech leaders are operating under false assumptions about the cybersecurity landscape and their own responsibilities. Raising awareness and educating the industry is a critical first step.
But awareness must also be coupled with a clear sense of accountability. Medical device manufacturers can no longer pass the buck to hospitals and healthcare providers. They have a duty to ensure their products are secure, both to protect patients and to safeguard their own brands and businesses.
Finally, the key to success is taking a proactive, security-first approach to innovation. As Christian emphasized, “if they would have designed it in their device at the beginning it would have actually sped up their time to market.” Embedding security into the entire product lifecycle, from design to deployment, is the best way to mitigate risks without slowing down progress.
To learn more about Blue Goat Cyber’s cybersecurity services for medical device manufacturers, schedule a Discovery Session.
Key Takeaways:
- FDA approval does not guarantee cybersecurity for medical devices.
- Hackers actively target medical devices, often using ransomware to extort them.
- Medical device manufacturers, not just healthcare providers, are responsible for securing their products.
- AI-powered security solutions have limitations and risks that must be carefully managed.
- Proactively designing security into medical devices can actually accelerate innovation, rather than hinder it.