Shared Responsibility in Medical Device Cybersecurity with Greg Garcia

How can shared responsibility models improve healthcare cybersecurity?

In this episode, Greg Garcia joins Christian and Trevor to break down the evolving landscape of medical device cybersecurity from a national policy perspective. Together, they discuss the legacy device challenge, shared accountability, and how sector-wide collaboration is critical to progress. The episode drives home the message that cybersecurity is not just technical - it’s foundational to patient safety and innovation.

Greg Garcia is one of the people shaping the future of critical infrastructure cybersecurity - and he’s got the track record to back it up. As executive director of the Health Sector Coordinating Council Cybersecurity Working Group, he’s all about connecting the dots between policy, industry, and patient safety.

Key points:

(1:30) Cyber in Critical Infrastructure

• Greg’s career path from Homeland Security to health sector leadership.

• The Health Sector Coordinating Council’s mission.

(10:35) The Legacy Device Dilemma

• Medical device cybersecurity suffers from the finger-pointing between HDOs and MDMs.

• Managing unsupported devices and contractual accountability.

(18:05) Budget Gaps and Cultural Challenges

• Rural hospitals and underfunded providers struggle to keep up with cybersecurity expectations.

• The case for regulatory mandates to level the playing field.

(31:47) Regulation, Risk, and Big Ideas

• The idea of Authorization to Operate (ATO) for health tech.

• Comparisons to Department of Defense (DoD) and FedRAMP models are raised as a vision for healthcare.

(40:12) Culture Over Compliance

• Why data shows low medical device exploitation - but that’s no reason to relax.

• How to make “secure by default” a reality.