Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published May 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · May 1, 2025 In this episode of The Med Device Cyber Podcast, hosts Trevor Slatterie and Christian Espinosa tackle the often-controversial topic of bridging the gap between medical device developers and cybersecurity experts. They explore scenarios where development teams become defensive after vulnerability assessments, particularly when conducted close to FDA submission deadlines. The discussion highlights the inherent tension between developers focused on functionality and UI, and cybersecurity professionals dedicated to discovering vulnerabilities. The hosts emphasize the critical role of emotional intelligence in navigating these interactions, stressing that penetration testers' primary goal is to help secure products, not to attack developers' work.They delve into the challenges of achieving truly secure development, acknowledging that while it's possible for developers to understand both development and security, the rapid evolution of both fields makes it unrealistic for one individual to master both. The conversation touches on the lack of widespread adoption of secure software development pipelines, despite the availability of tools and methodologies like OWASP guidelines and static/dynamic application security testing. A significant portion of the episode is dedicated to the impact of unrealistic timelines and budget constraints, which often lead to security being deprioritized. The hosts also draw an interesting analogy between cybersecurity and dental visits, portraying both as necessary evils that are more cost-effective and less painful when approached preventatively. This episode is essential listening for product security teams, regulatory leads, and engineers seeking to foster better collaboration and implement more robust security practices within medical device development.
Key Takeaways
- Effective communication and emotional intelligence are crucial for cybersecurity experts when presenting vulnerabilities to development teams to avoid defensiveness.
- Integrating security practices early in the Software Development Life Cycle (SDLC), including threat modeling and rigorous security requirements, is essential for building secure medical devices.
- Unrealistic business timelines and budget constraints frequently lead to the deprioritization of cybersecurity, highlighting a significant challenge in the medical device industry.
- While full mastery of both development and cybersecurity is difficult, developers can significantly reduce vulnerabilities by implementing basic secure coding practices and leveraging specialized cybersecurity expertise for complex issues.
- Preventative cybersecurity measures, akin to regular dental check-ups, are ultimately more cost-effective and less painful than reactive incident response and remedial fixes.
- Most major data breaches are caused by misconfigurations and human error, rather than complex coding exploits, underscoring the importance of basic security hygiene and awareness.
- Tools like Static Application Security Testing (SAST) are effective at identifying common, low-hanging fruit vulnerabilities, but penetration testing remains critical for uncovering deeper, more subtle flaws like those resulting from copied code with compromised keys.
- Organizations should consult OWASP guides and other resources to establish secure coding practices and integrate security into their CI/CD pipelines from the outset, rather than attempting to retrofit security into existing, established systems.
- The regulatory landscape, including mandates from bodies like the FDA and EUMDR, is a primary driver for cybersecurity adoption in the medical device sector, pushing organizations to address security concerns they might otherwise overlook.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.