Shared Responsibility in Medical Device Cybersecurity with Greg Garcia | Ep. 28

The Med Device Cyber Podcast · with Greg Garcia · July 31, 2025 This episode of The Med Device Cyber Podcast features Greg Garcia from the Health Sector Coordinating Council (HSCC), discussing the critical issue of shared responsibility in medical device cybersecurity. Garcia, with a background spanning the Department of Homeland Security and financial services, highlights the HSCC Cyber Security Working Group's efforts to foster collaboration between medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). A central theme is moving past blame to develop unified strategies for medical device security. Garcia emphasizes the "secure by design" and "secure by default" principles, crucial for total lifecycle product security. He touches upon the challenge of legacy devices, the 2023 FDA guidance changes, and the economic pressures faced by resource-constrained healthcare providers. The discussion also covers the importance of shifting cybersecurity from a cost center to an integral part of patient safety, the limitations of current regulations for all healthcare-connected technologies, and the need for a unified approach to achieve regulatory and patient confidence in a secure medical ecosystem. Key initiatives like the Joint Security Plan (JSP) and managing legacy technology security (MALTS) are presented as vital, free resources developed by the industry for the industry.

Key Takeaways

• Cybersecurity is a shared responsibility across all stakeholders in the healthcare ecosystem, from medical device manufacturers to healthcare delivery organizations and IT companies.
• The
• secure by design"
• and
• secure by default"
• principles are essential for establishing total lifecycle product security in medical devices.
• Addressing legacy medical devices that are no longer supported requires collaborative strategies for maintaining security and planning for risk transfer.
• The industry needs to shift its perception of cybersecurity from a costly burden to an indispensable component of patient safety.
• Adopting industry-developed resources like the Joint Security Plan (JSP) and managing legacy technology security (MALTS) can significantly enhance cybersecurity posture.
• Future regulation may need to expand beyond medical devices to encompass all technology systems critical to healthcare delivery, mirroring the rigor applied to critical infrastructure.
• The Health Sector Coordinating Council (HSCC) offers free, collaboratively developed best practices and encourages participation to strengthen healthcare cybersecurity collectively.

Listen on mdcpodcast.com · Watch on YouTube

Listen to this episode

• Watch on YouTube
• Listen on Apple Podcasts
• Listen on Spotify
• Browse all episodes

---

Want help applying this to your own device program?

Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.