Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published September 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · with Suzy Engwall · September 30, 2025 This episode of The Med Device Cyber Podcast features Suzy Engwall of Health Tech Strategies, who shares insights on the challenges faced by medical device startups, particularly concerning cybersecurity. Engwall, with her two decades of experience in healthcare innovation, highlights that while funding and market fit are primary concerns for startups, cybersecurity often gets overlooked until compliance becomes a hurdle for FDA approval. The discussion emphasizes the increasing scrutiny from hospitals regarding device security, often exceeding FDA requirements, especially for legacy devices. The conversation also delves into the complexities of product adoption in healthcare, including market nuances, internal politics, and the evolving role of AI in clinical decision-making. The guests debate shared liability in AI-driven diagnostics and the patient's awareness of AI use, underlining the critical need for early cybersecurity integration in product development, a risk-based approach to device security (especially for Class II and III devices), and clear communication of risks to all stakeholders, including patients. Engwall advises startups to engage with the FDA early to understand regulatory pathways and potential future claims. The episode underscores the never-ending cat-and-mouse game of cybersecurity and the importance of anticipating threats from the initial idea stage.
Key Takeaways
- Medical device startups often deprioritize cybersecurity, focusing instead on funding and market fit, leading to potential roadblocks during FDA approval.
- Hospitals are increasingly implementing stringent cybersecurity requirements that often surpass FDA mandates, making it difficult for even recently developed devices to gain adoption if security was not baked in from the start.
- The integration of AI in healthcare introduces complex questions of liability and accountability for diagnostic decisions, with a current industry trend toward labeling AI tools as 'clinical decision support' rather than 'diagnosis' to mitigate liability.
- A risk-based approach is crucial for medical device cybersecurity, differentiating needs based on potential patient harm (e.g., Class I vs. Class II/III devices) rather than solely on data privacy or technical vulnerabilities.
- Patients generally lack awareness and engagement regarding the cybersecurity risks of medical devices, often trusting their physicians without asking critical questions about the technology being used.
- Startups should engage with the FDA early in the development cycle to understand regulatory requirements, especially concerning product claims and future iterations, to avoid compliance issues later on.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.