Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published April 2026 · Last reviewed May 2026
The Med Device Cyber Podcast · with Chris Danek · April 1, 2026 In this episode of The Med Device Cyber Podcast, hosts Christian and Trevor welcome Chris Danek, CEO of Bessel, to delve into the critical importance of early design decisions in shaping the success and cybersecurity of medical devices. The discussion emphasizes that robust cybersecurity is not merely about data protection but fundamentally about patient safety, citing examples of severe harm that could result from compromised devices. The conversation highlights common misconceptions, such as the belief that all software developers inherently understand cybersecurity or that devices without obvious external connections are immune to cyber threats. A key takeaway is the necessity of integrating cybersecurity considerations from a product's inception, including hardware choices like microcontrollers, and the meticulous vetting of third-party software components through the creation of a Software Bill of Materials (SBOM). The episode stresses the iterative nature of cybersecurity throughout the total product lifecycle, rather than as a one-time assessment, and introduces threat modeling as an essential early-stage activity. The experts also touch upon the nuances of FDA expectations, particularly concerning vulnerabilities like self-signed certificates, and the distinction between traditional IT cybersecurity and the highly regulated medical device cybersecurity landscape.
Key Takeaways
- Cybersecurity in medical devices is primarily driven by patient safety, not just data protection, due to the potential for severe physical harm from compromised devices.
- Lack of preparedness regarding the extensive scope of cybersecurity, particularly concerning third-party software components and hardware choices, can lead to significant delays and product setbacks.
- The FDA explicitly disallows the use of probability for cybersecurity risk assessments, instead focusing on the criteria that must be true for an exploit to occur.
- Early and continuous engagement with cybersecurity experts, including threat modeling from the idea stage, is crucial for making sound design decisions and avoiding costly delays.
- The misconception that all software developers are cybersecurity experts is dangerous; specialized cybersecurity expertise is necessary due to differing skill sets and the evolving threat landscape.
- Cybersecurity must be integrated throughout the entire total product lifecycle of a medical device, from initial design requirements to end-of-life considerations, rather than being treated as a one-time study.
- In the context of FDA submissions, be aware of specific vulnerabilities like self-signed certificates that, while often overlooked in traditional IT security, are a significant concern for regulators due to data privacy and encryption implications.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.