Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published November 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · with Randy Horton · November 30, 2025 This episode of The Med Device Cyber Podcast features Randy Horton of Orthogonal, a company specializing in software as a medical device (SaMD) development. The discussion emphasizes the critical need for integrating cybersecurity into the entire software development lifecycle - a "dev-sec-ops" approach - rather than treating it as a post-development add-on. Horton, along with hosts Christian and Trevor, advocates for viewing cybersecurity as an inherent aspect of quality software, arguing that well-built modern software fundamentally enhances medical device safety and effectiveness. The conversation highlights the stark contrast between the traditional, physically constrained engineering mindset of medical device development and the flexible, malleable nature of software. They address the challenges of shifting from a "move fast and break things" Silicon Valley mentality to the "move faster and break nothing" imperative of SaMD, where human lives are at stake. The episode also delves into the difficulties associated with implementing update mechanisms in medical devices, despite FDA guidance recommending this capability for in-field security patches. They underscore the importance of ongoing monitoring and patching, not just for regulatory compliance but as a competitive advantage for "born digital" MedTech companies. The discussion touches on significant incidents, such as the UK NHS ransomware attack that resulted in fatalities, and the Illuminia case, which underscore the severe consequences of neglecting cybersecurity. The episode concludes by stressing that while progress is being made, the challenge is continuous, requiring increased awareness and a proactive, risk-based approach to secure software development.
Key Takeaways
- Cybersecurity must be integrated into the software development lifecycle from the outset, adopting a "dev-sec-ops" approach rather than being an afterthought.
- Quality software inherently includes cybersecurity; a medical device that can be hacked and harm a patient is not a quality product.
- The traditional medical device engineering mindset, focused on physical constraints, struggles to adapt to the digital malleability of software, leading to cybersecurity challenges.
- Implementing robust update mechanisms in medical devices, as recommended by the FDA, is crucial for deploying security patches and receiving ongoing improvements, despite resistance from some manufacturers.
- Real-world incidents, such as ransomware attacks and legal actions against companies for cybersecurity failures, demonstrate the severe human and financial consequences of neglecting medical device cybersecurity.
- While regulatory compliance is a baseline, market competitiveness from "born digital" MedTech companies will increasingly drive the adoption of secure and continuously updated software.
- Cybersecurity in medical devices is not merely a regulatory burden but a fundamental component of product quality that is essential for patient safety and organizational integrity.
- Embracing uncertainty and managing risk around the inherent digital flexibility of modern medical devices is crucial, rather than clinging to the outdated notion of fully locking down devices post-release.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.