What is medical device cybersecurity?

Medical device cybersecurity is the discipline of designing, validating, and maintaining medical devices so they resist, detect, and recover from cyber threats - protecting patient safety, device performance, and the data they generate. In practice it spans threat modeling, secure architecture and coding, SBOM and supply-chain hygiene, verification testing (static analysis, fuzzing, penetration testing), regulatory documentation, and postmarket vulnerability management. Unlike enterprise IT security, decisions are bounded by clinical workflow, hardware lifetimes that often exceed a decade, and the FDA's expectation that security controls are traceable to safety risk.

What does the FDA require for premarket cybersecurity submissions?

Under FDA Section 524B and the 2025 final guidance, premarket submissions for cyber devices must include a Secure Product Development Framework (SPDF), threat model, cybersecurity risk assessment, SBOM with vulnerability assessment, security testing (including pen test), labeling, and a postmarket cybersecurity management plan. The FDA can refuse to accept (RTA) submissions that omit these.

What is an SBOM and why does the FDA require one?

An SBOM (Software Bill of Materials) is a machine-readable inventory of every software component in a device - proprietary, open-source, and commercial. The FDA requires an SBOM in CycloneDX or SPDX format so reviewers and operators can monitor for new vulnerabilities affecting any component over the device's life.

How is threat modeling different from a risk assessment?

A cybersecurity risk assessment quantifies the probability and impact of identified risks. Threat modeling is the upstream activity that systematically discovers those risks - mapping data flows, identifying threat actors and attack vectors (often via STRIDE), and proposing mitigations. The FDA expects both, with the threat model driving the risk assessment.

Who should listen to The Med Device Cyber Podcast?

MedTech founders, regulatory affairs leaders, quality and product security engineers, software/firmware developers, clinical IT teams, and anyone navigating FDA, EU MDR/IVDR, or international cybersecurity expectations for connected medical devices.

How often are new episodes released?

New episodes drop weekly. Subscribe on YouTube, Apple Podcasts, Spotify, or via RSS so you don't miss a release.

What is the FDA 524B eSTAR template?

Section 524B of the FD&C Act made cybersecurity a statutory requirement for cyber devices. The eSTAR template is the FDA's interactive PDF that walks submitters through every required cybersecurity artifact - from the SPDF and threat model to the SBOM and postmarket plan - before the submission is accepted for review.

What is the difference between 510(k), De Novo, and PMA cybersecurity expectations?

The same 524B cybersecurity artifacts apply across pathways, but rigor scales with risk class. Class II 510(k) submissions need a documented SPDF, threat model, SBOM, and security testing. De Novo submissions add justification for novel mitigations. PMA submissions for Class III devices typically demand deeper architectural review, more comprehensive penetration testing, and stronger postmarket commitments.

Do I need penetration testing for my FDA submission?

Yes for any cyber device. The FDA expects independent penetration testing covering the device, its wireless/network interfaces, mobile apps, cloud back ends, and supply chain. The report should be reproducible, traceable to the threat model, and accompanied by remediation evidence.

What standards apply to medical device cybersecurity?

Core standards include AAMI TIR57 and TIR97 (cybersecurity risk and postmarket management), IEC 81001-5-1 (security activities for the product life cycle), ISO 14971 (risk management), IEC 62304 (software life cycle), and the ANSI/UL 2900 series. The FDA references most of these in its premarket and postmarket guidance.

What is a Secure Product Development Framework (SPDF)?

An SPDF is a documented set of processes that integrate security activities into every phase of the product life cycle - requirements, design, implementation, verification, release, and postmarket. The FDA expects manufacturers to demonstrate an SPDF in premarket submissions.

How does postmarket cybersecurity management work?

Postmarket cybersecurity management includes monitoring SBOM components for new vulnerabilities, running a coordinated vulnerability disclosure (CVD) program, deploying validated patches, communicating with operators, and reporting to the FDA when patient harm is plausible. Section 524B made the postmarket plan a premarket gate.

What is coordinated vulnerability disclosure (CVD)?

CVD is a published process that lets independent researchers report vulnerabilities to the manufacturer privately, gives the manufacturer time to remediate, and then coordinates public disclosure. The FDA strongly recommends a CVD program for every cyber device, aligned with ISO/IEC 29147 and 30111.

How does AI/ML change medical device cybersecurity?

AI/ML adds new attack surface (model theft, adversarial inputs, training-data poisoning) and new failure modes (drift, hallucination). The FDA's predetermined change control plan (PCCP) framework and the 2024 AI/ML guidance require manufacturers to bake security and integrity controls into the model life cycle, not just the software around it.

What is IEC 62304 and how does it relate to cybersecurity?

IEC 62304 defines the medical device software life cycle. Amendment 1 explicitly requires cybersecurity activities - risk analysis, secure design, vulnerability management - across software safety classes A, B, and C. Compliance is a foundation that the FDA, EU MDR, and international regulators all build on.

What is IEC 62304 and how does it relate to cybersecurity?

IEC 62304 defines the medical device software life cycle. Amendment 1 explicitly requires cybersecurity activities - risk analysis, secure design, vulnerability management - across software safety classes A, B, and C. Compliance is a foundation that the FDA, EU MDR, and international regulators all build on. In practice we map 62304 deliverables (software development plan, architecture, unit/integration/system testing, problem resolution) directly into the SPDF so a single set of artifacts satisfies both the safety and security reviewers.

How do EU MDR and IVDR cybersecurity requirements compare to the FDA?

EU MDR Annex I (sections 17.2 and 17.4) and IVDR Annex I (16.4) require manufacturers to set minimum requirements for IT environment, hardware, networks, and security controls - operationalized through MDCG 2019-16. The expected artifacts (threat model, risk assessment, SBOM, verification, postmarket surveillance) overlap heavily with FDA Section 524B, but EU notified bodies emphasize state-of-the-art justification, residual risk acceptance, and integration with the broader QMS under ISO 13485.

How do NIS2, the EU Cyber Resilience Act, and HIPAA affect medical device makers?

NIS2 raises baseline security and incident-reporting duties for essential and important entities, including many MedTech manufacturers and the hospitals that deploy their devices. The Cyber Resilience Act adds product-level security requirements and vulnerability handling for any product with digital elements sold in the EU. In the U.S., HIPAA governs PHI handled by the device or its cloud back end. Together they create overlapping reporting clocks (24/72 hours, 60 days) that need to be wired into your incident response plan, not just legal review.

How do we secure legacy medical devices that can't be redesigned?

Legacy devices rarely tolerate firmware changes, so security shifts to compensating controls: network segmentation and zero-trust microsegmentation, allowlisting at hospital boundaries, MDS2 disclosures so operators understand the risk, monitored remote access, and a clear end-of-support communication plan. The FDA still expects a coordinated vulnerability disclosure program and timely patches when feasible, even for devices designed before 524B existed.

What goes into securing cloud and mobile components of a connected device?

Cloud back ends and companion mobile apps are in scope for FDA cybersecurity review whenever they affect device safety or essential performance. Expect threat modeling of trust boundaries, hardened tenancy and IAM, encrypted transport and storage, secrets management, signed firmware/OTA pipelines, runtime monitoring, and penetration testing of the API surface and mobile binary. The SBOM should cover container images and mobile dependencies, not just the device firmware.

How do we respond to an FDA cybersecurity deficiency letter?

Deficiency letters typically cite a missing or thin SPDF, threat model gaps, weak SBOM analysis, or insufficient postmarket plans. The fastest path to clearance is a structured response: map each deficiency to a remediation, regenerate the affected artifact (not a one-paragraph justification), update the threat model and risk assessment for traceability, and resubmit with a change log the reviewer can follow. Blue Goat Cyber regularly turns these around in days rather than weeks.

How long does cybersecurity work add to an FDA submission timeline?

When security is built in from design, the cybersecurity package typically adds 4–8 weeks of effort in parallel with other submission work. Bolted on at the end, it can extend timelines by 3–6 months because threat models, SBOMs, and pen tests often surface design changes. Listening to the podcast and engaging early - ideally at requirements or architecture - is the single biggest lever on schedule.

Can I submit guest topics or be a guest on the podcast?

Yes. Use the guest pitch form at the bottom of the podcast page. We prioritize practitioners with first-hand stories - submission wins and rejections, vulnerability disclosure experiences, hospital integration lessons, AI/ML rollouts - over vendor pitches. Episodes are recorded remotely and run roughly 30–45 minutes.

Where can I get help applying what I hear on the podcast?

Blue Goat Cyber's team supports MedTech manufacturers across the full life cycle - premarket submissions, threat modeling, penetration testing, SBOM and supply-chain monitoring, postmarket vulnerability management, and rapid response to FDA cybersecurity deficiency letters. Book a discovery session from the podcast page or the contact form, and we'll scope the right engagement for where you are in the product life cycle.

Podcast

Reinventing Cybersecurity - candid conversations on connected security.

Conversations with security leaders, founders, and operators on how to actually build secure connected products - without slowing the business down.

Listen on mdcpodcast.com Browse episodes

Latest episode

Episode 70 · with Zoltan Kevei

Why MedTech Needs Specialists with Zoltan Kevei and Saby Toth of Bishop & Co

In this episode of the Med Device Cyber Podcast, host Christian Espinosa is joined by Zoltan Kevei, Founder and CEO, and Szabolcs Tóth, a Regulatory and Quality Expert, from Bishop & Co., a Hungarian software and regulatory consultancy specializing in the MedTech industry. The discussion revolves around the complex and

Listen

Episode library

All episodes

68 episodes · Hosted by Christian Espinosa

Search episodes and transcripts

Searches episode titles, guests, summaries, and full show notes.

Episode 69

Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital

With Varun Turlapati

In this episode of the MedDevice Cyber podcast, host Christian Espinosa welcomes Varun Turlapati, Managing Director of Chaanakya Capital, an early-stage venture capital firm specializing in Neurotech and MedTech. Varun, whose background is in software engineering, explains that his firm focuses on pre-seed to Series A

Episode 68

Why MedTech Needs More Than Approval with Michael Branagan Harris of HealthTech Strategies Limited

With Michael Branagan Harris

A device can clear regulatory hurdles and still struggle commercially if the evidence is too narrow. MedTech companies need proof that speaks to affordability, care quality, operational impact, and long term value, not just technical performance.

Episode 67

De-Risking Product Decisions in MedTech Startups with Brent Lavin of Ironwood MedTech Partners

With Brent Lavin

Product decisions made during early development determine commercialization outcomes years later. Wrong choices about regulatory pathways, feature sets, and market segments create compounding problems limiting commercial success.

Episode 66

Vibe Coding Security Risks & Malicious Injection with Jake Rodriguez of Triangle Tech

With Jake Rodriguez

In this episode of the Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by special guest Jake Rodriguez, CEO and Founder of Triangle Tech. Jake shares his unconventional journey from a pre-pharmacy track at Virginia Commonwealth University to becoming a B2B marketing entrepreneur specia

Episode 65

Who Owns Patient Data Security in Trials with Rob Bedford, CEO of Franklyn Health

With Rob Bedford

This episode of the MedDevice Cyber podcast, hosted by Christian Espinosa and Trevor Slattery of Blue Goat Cyber, features a detailed discussion with Rob Bedford, the co-founder and CEO of Franklyn Health, a Contract Research Organization (CRO) specializing in serving the medical technology (MedTech) sector. Rob Bedfor

Episode 64

Start QMS Early to Avoid Reverse Documentation with Dr. Basant Bajpai

With Dr. Basant Bajpai

In this episode of the Med Device Cyber Podcast, host Trevor Slattery is joined by special guest Dr. Basant Bajpai, the CEO of Compliance MedQRA, a regulatory consulting firm based in Dubai that also offers an automated Quality Management System (QMS). Dr. Bajpai, who holds a PhD in neuromonitoring and neurosciences, d

Episode 62

AI in Healthcare: Why Humans Still Matter with Brandon Fertig, Senior Manager at Philips

With Brandon Fertig

In this episode of the MedDevice Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by Brandon Fertig, Senior Manager at Philips, to discuss the intersection of military experience, healthcare cybersecurity, and the evolving role of artificial intelligence. Brandon shares his unique career trajector

Episode 63

Early Design Decisions that Shape Medical Device Success with Chris Danek, CEO of Bessel

With Chris Danek

Early design decisions define the trajectory of a medical device long before commercialization begins. Choices related to software architecture, third-party components, and system connectivity establish both the opportunity and the risk profile of the product.

Episode 61

How to Design Devices That Integrate Into Clinical Workflow Without Disruption

With

In this episode of the Med Device Cyber podcast, hosts Christian Espinosa and Trevor Slattery are joined by Professor Aamer Ahmed, a practicing cardiac anesthesiologist and co-founder of the MedTech company Hemeo. The discussion centers on the critical role of clinical expertise in medical device innovation and the par

Episode 58

The Hidden Cybersecurity Risks When Doctors Use AI Diagnostics

With

In this episode of the Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by special guest Jun Xiang Tan, the owner of TuringLabs, who is currently working with a health-tech startup in Singapore. Jun Xiang brings a unique perspective, with a background in military cybersecurity and netwo

Episode 60

How to Move Stakeholders from Awareness to Sustained Adoption Without Friction

With MedTech leader

Marketing medical devices requires understanding that stakeholders are different, buying processes are longer, and friction points are more complex than consumer products or software.

Episode 59

Prevention Is Better Than Cure: Applying Medical Principles to MedTech Cybersecurity

With MedTech leader

Medical device risk assessments are failing patients, not because the process is too hard, but because nobody doing the assessment has ever been in the room where the device actually gets used.

Episode 56

What 15 Years In MedTech Taught This CEO About Cybersecurity with Marc Zemel

With Marc Zemel

In this episode of the Med Device Cyber podcast, hosts Trevor Slattery and Christian Espinosa welcome Marc Zemel, the CEO of Retia Medical, to discuss the critical intersection of medical device innovation and cybersecurity, especially from the perspective of a MedTech startup. The conversation centers on the journey o

Episode 55

The Hidden Reason Medtech Products Get Recalled (It's Not Quality Issues) with William Jin

With William Jin

In this episode of the Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by special guest William Jin, a seasoned expert with over 30 years of experience in the medical technology industry. With a background as a medical doctor in Shanghai and extensive work with major companies like Med

Episode 57

From Idea to FDA Clearance: What Nobody Tells MedTech Founders with Darcy Bachert

With Darcy Bachert

Building medical device software is hard. Building it the right way is harder. And getting it through FDA approval while managing cybersecurity requirements? That's what Darcy Bachert has been doing for 17 years.

Episode 54

Why MedTech is the Future of Entrepreneurship with Omar Khateeb

With Omar Khateeb

In this episode of the Med Device Cyber podcast, hosts Christian Espinosa and Trevor Slattery are joined by Omar M. Khateeb, host of the State of MedTech podcast. With a background that spans medical school, surgical robotics, and marketing, and having produced over 300 podcast episodes interviewing key figures in the

Episode 52

Medical Device Cyber Failures Become Fatal

With

In this episode of the Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa of Blue Goat Cyber delve into the serious and often life-threatening consequences of medical device cybersecurity vulnerabilities. They move beyond theoretical risks to discuss documented incidents where software flaws and sec

Episode 53

Untangling Software Composition Analysis for MedTech Teams

With MedTech leader

Why does software composition analysis matter beyond regulatory compliance? This episode explores SCA (Software Composition Analysis) and explains how SBOMs (Software Bill of Materials), SOUP (Software of Unknown Provenance), and related tooling fit into the broader medical devic

Episode 51

Trevor Slattery Answers Tough Medical Device Cyber Questions

With MedTech leader

This episode puts Trevor in the hot seat. If you were put in the hot seat, could you clearly explain cybersecurity, safety, and lifecycle terms like Trevor?

Episode 50

The Differences Between Black, Gray, and White Penetration Testing

With

In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery from Blue Goat Cyber delve into the critical topic of penetration testing for medical devices. The discussion centers on clarifying the distinctions between the three primary methodologies: black box, gray box, and white box t

Episode 47

What Is Required for an FDA Premarket Cyber Submission?

With

In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa, Founder, and Trevor Slattery, CTO of Blue Goat Cyber, provide a detailed breakdown of the requirements for an FDA cybersecurity premarket submission. The central focus is on clarifying a common area of confusion: the 18 specific deliverables req

Episode 49

How Cybersecurity Shapes Regulatory and Quality Success with Jim Goodmiller

With Jim Goodmiller

What risks do you take when cybersecurity is left off your development roadmap? In this episode, Christian, Trevor and guest Jim Goodmiller explore how cybersecurity intersects with regulatory expectations and quality systems, creating new challenges and opportunities for MedTech

Episode 46

How Market Intelligence Shapes MedTech Growth with Kevin Saem

With Kevin Saem

In the MedTech space, how can you leverage market intelligence and machine learning for business development and sales enablement? In this episode, Christian and Trevor talk with Kevin Saem about how market intelligence and cybersecurity intersect in the MedTech space.

Episode 42

What Is A Medical Cyber Device?

With

In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery from Blue Goat Cyber tackle a common and critical question in the medical technology industry: What constitutes a 'cyber device'? They address the widespread confusion among manufacturers who often mistakenly believe their pro

Episode 45

Designing Secure Medical Device Software with Randy Horton

With Randy Horton

In medical device software development, why should cybersecurity be viewed as an element of product quality, not an add-on? In this episode, Christian and Trevor speak with Randy Horton of Orthogonal about the future of medical device software development.

Episode 44

Cyber Risk Management for MedTech Legacy Devices

With MedTech leader

What options do MedTech manufacturers have to bring older devices up to modern cybersecurity standards? Also, how does the FDA’s latest guidance change the process for updating legacy devices?

Episode 41

5 Most Common Misconceptions of Medical Device Security

With MedTech leader

In this episode, Christian and Trevor unpack the five most common misconceptions that put medical device manufacturers at risk.

Episode 40

What Happens When AI in Medical Devices Make Mistakes?

With MedTech leader

MedTech manufacturers and developers, what happens if your AI-powered medical device makes a terrible, life-threatening mistake? This episode explores what happens when artificial intelligence in medical devices goes wrong.

Episode 39

Medical Device Startups and Cybersecurity Challenges with Suzy Engwall

With Suzy Engwall

What are some of the greatest challenges medical device startups face when bringing their products to market? This episode features Suzy Engwall, a healthcare innovation consultant with experience mentoring startups and guiding hospitals.

Episode 38

Top 10 Medical Device Vulnerabilities with Myles Kellerman

With Myles Kellerman

How safe are the medical devices I rely on, and what are the biggest cybersecurity risks I should know about?

Episode 37

Overcoming AI and Data Security Challenges in MedTech with May Lee

With May Lee

How can you prepare your device for future quantum computing risks? In this episode of The Med Device Cyber Podcast, Christian and Trevor talk with May Lee of CS Life Sciences about the fast-changing world of medical device cybersecurity.

Episode 36

When Medical Device Cybersecurity Becomes a Crime

With

This episode of The Med Device Cyber Podcast discusses a significant shift in the consequences of cybersecurity flaws in medical devices, moving beyond simple data breaches to legal prosecution. The hosts, Christian Espinosa and Trevor Slattery, center their conversation on a recent enforcement action by the U.S. Depar

Episode 35

Balancing Innovation and Regulation in MedTech Development with Karandeep Singh Badwal

With Karandeep Singh Badwal

How can MedTech innovators balance speed with compliance in medical devices? In this episode, Christian and Trevor sit down with Karandeep Singh Badwal about the challenges of balancing innovation with quality and regulatory compliance in medical devices, especially with the rise

Episode 34

Integrating Project Management to Strengthen Cybersecurity Outcomes with Steve Curry

With Steve Curry

What project management mistakes can med tech innovators avoid? What methods and tools can help med tech companies manage projects?

Episode 33

Vulnerability, Penetration & Other Cybersecurity Testing Types Explained

With MedTech leader

Which cybersecurity tests are the most crucial, and which ones does the FDA require for medical device approval? In this episode, Christian and Trevor break down the many types of cybersecurity testing required for medical devices.

Episode 30

FDA Cybersecurity Gets Real with Monica Montañez of NAMSA

With Monica Monta

In this episode of the Med Device Cyber Podcast, host Christian Espinosa and co-host Trevor Slattery are joined by Monica Montanez from NAMSA (North American Scientific Associates) to discuss the evolving landscape of medical device cybersecurity. The conversation centers on the significant changes manufacturers face f

Episode 31

Understanding Cybersecurity Measures and Metrics for Medical Devices

With MedTech leader

How do measures and metrics differ, and why is this distinction crucial for FDA submissions? In this episode, Christian and Trevor demystify the difference between cybersecurity measures and metrics in the context of FDA guidance.

Episode 29

What the FDA Wants in Security Architecture Views for Devices

With MedTech leader

What are the four security architecture views that the FDA prioritizes, and how do they impact your device's design? This episode explores the FDA-defined security architecture views essential for medical device cybersecurity.

Episode 28

Shared Responsibility in Medical Device Cybersecurity with Greg Garcia

With Greg Garcia

How can shared responsibility models improve healthcare cybersecurity? In this episode, Greg Garcia joins Christian and Trevor to break down the evolving landscape of medical device cybersecurity from a national policy perspective.

Episode 27

Total Product Lifecycle Security: From Design to Disposal

With MedTech leader

How well does your security strategy cover the entire product lifespan - from concept to decommissioning? This episode dives into the importance of the Total Product Lifecycle (TPLC) and Secure Product Development Framework (SPDF) in medical device cybersecurity.

Episode 26

Why Cybersecurity and Quality Are One and the Same

With MedTech leader

How can medical device startups avoid missteps in cybersecurity, quality, and compliance? In this episode, Trevor Slattery speaks with Ashkon Rasooli about the intersection of quality systems and cybersecurity in medical devices.

Episode 25

Cybersecurity Labeling and MedTech Transparency

With MedTech leader

Why is cybersecurity labeling more than just a compliance checkbox for medical device companies? In this episode, Christian and Trevor dive into the nuanced world of cybersecurity labeling for medical devices.

Episode 24

From Concept to Compliance: A Guide to Med Device Approval

With MedTech leader

Med device manufacturers, are you setting up your quality system early enough in product development? Also, are you misunderstanding the FDA’s "guidance" documents - and risking rejection?

Episode 23

Unpacking Post-Market Management and Incident Response for Medical Devices

With MedTech leader

What should you do when a vulnerability is discovered in a medical device after it's already on the market? This dives into post-market management and incident response for medical devices, exploring what happens when a device is hacked or a vulnerability is reported.

Episode 22

AI in Medical Devices: Opportunities & Regulation with Matt Lemay

With Matt Lemay

What does responsible AI implementation look like in medical devices? This episode explores the intersection of AI, cybersecurity, and medical device regulation with guest Matt Lemay, CEO of Lemay.ai.

Episode 21

Essential Software Documentation for Med Device Manufacturers

With MedTech leader

What documents should engineers prepare to get ready for submitting a medical device to the FDA? In this episode, Christian and Trevor dig into the underestimated role software documentation plays in cybersecurity, especially in the medical device space.

Episode 20

The Human Factor in MedTech Design with Dylan Horvath

With Dylan Horvath

How can human-centered design influence medical device cybersecurity? In this episode, Christian Espinosa chats with Dylan Horvath of Cortex Design about the powerful intersection of human-centered design and medical device cybersecurity.

Episode 17

Cybersecurity Challenges & Trends in US MedTech with Paul-Lukas Hoffschmidt

With Paul-Lukas Hoffschmidt

In this episode of The Med Device Cyber Podcast, host Christian Espinosa and co-host Trevor Slattery are joined by Paul-Lukas Hoffschmidt of Alpha Sophia. Paul's company provides a commercial intelligence platform designed to help medical device, digital health, and life sciences companies successfully launch their pro

Episode 10

How Trump & RFK Jr Affect AI and Medical Device Cybersecurity Guidelines

With

In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery from Blue Goat Cyber delve into the potential impacts of a new Trump administration, along with the influence of figures like Robert F. Kennedy Jr., on the medical device and MedTech cybersecurity landscape. The conversation b

Episode 1

The Med Device Cyber Podcast TRAILER

With

Listen on mdcpodcast.com · Watch on YouTube

Episode 19

Data Protection in Medical Devices: A Deep Dive with Kevin Derr

With Kevin Derr

How can medical device companies own their data without compromising security? In this episode, Kevin Derr from NeuronSphere joins Christian and Trevor to dive into the intersection of cybersecurity, compliance, and innovation in the MedTech world.

Episode 18

Early Cyber Strategies for MedTech Trailblazers

With MedTech leader

What are some strategies founders can use to incorporate cybersecurity into the early stages of developing a MedTech product? In this episode, Christian and Trevor break down the critical role of cybersecurity in early-stage MedTech startups.

Episode 16

Collaboration is Key: Bridging the Gap Between Developers and Cybersecurity Experts

With MedTech leader

What are some of the biggest barriers to effective collaboration between coders and cyber experts, and how can they be overcome? This episode explores the essential components of successful collaboration and teamwork.

Episode 15

Commercialize Your MedTech with Craig T Ingram

With Craig T Ingram

What are the 10 essential components of a successful commercialization plan in the MedTech industry, and why are they often overlooked? This episode explores the critical role of commercialization in the MedTech industry.

Episode 14

The Growing Importance of Interoperability and Third-Party Component Security

With MedTech leader

Why is interoperability increasing cybersecurity risks in healthcare, and what can we do about it? Interoperability is making healthcare more efficient but also more vulnerable to cyber threats.

Episode 13

SBOMs Unpacked: Myths, Risks, & Benefits with Cortez Frazier Jr.

With Cortez Frazier Jr.

Why are Software Bill of Materials (SBOMs) critical for medical device security? In this episode, Cortez Frazier Jr. joins Christian and Trevor to discuss SBOMs, vulnerability prioritization, and why companies should stop fearing software transparency.

Episode 12

Postmarket Surveillance and Anomaly Detection for Medical Devices

With MedTech leader

What are some of the biggest cybersecurity risks medical devices face after they hit the market? This episode dives into the challenges of postmarket surveillance for medical devices.

Episode 11

Advanced Threat Modeling in Medical Devices

With MedTech leader

What is threat modeling, how does it differ from penetration testing, and why are both necessary? This episode dives into the nuances of advanced threat modeling for medical devices.

Episode 09

FDA AI Guidance Explained: What It Means for Medical Device Cybersecurity

With MedTech leader

How does the FDA’s latest AI guidance on medical devices impact manufacturers and cybersecurity challenges in healthcare? In this episode, Christian and Trevor discuss the latest FDA AI guidance and how it will impact real-world AI applications in healthcare.

Episode 08

The Human Factor: Why Cybersecurity Awareness is Key in Medical Device Manufacturing

With MedTech leader

How does human behavior impact medical device cybersecurity? Also, why do cybersecurity awareness programs often fail to make a lasting impact? This episode dives into the human factor in medical device cybersecurity.

Episode 07

Startups, Regulations, & Risk: Insights from MedTech Guru Etienne Nichols

With MedTech leader

What are some of the key challenges MedTech companies face in balancing innovation with compliance? This episode dives into the intersection of quality management and cybersecurity in the MedTech industry.

Episode 06

The Evolution of Medical Device Cyber Threats: Past, Present, and Future

With MedTech leader

How do medical device vulnerabilities pose life-threatening risks? In this episode, Christian and Trevor again explore the fascinating and critical world of medical device cybersecurity.

Episode 05

Avoid the Dumb Tax: Cybersecurity Lessons for MedTech Startups with Steve Bell

With Steve Bell

What are the most common mistakes MedTech startups make in cybersecurity, and how can founders avoid them? In this episode, Christian Espinosa and Trevor Slattery dive into the challenges MedTech startups face with their guest, Steve Bell, a 35-year veteran of the industry.

Episode 04

Building Resilient Medical Devices: A Look at the Essential Technologies and Infrastructure

With MedTech leader

How can some of the biggest cybersecurity concerns with medical devices be addressed in the design phase?

Episode 03

Navigating the Regulatory Landscape of Medical Device Cybersecurity

With MedTech leader

What are the main categories of medical devices, and how do regulatory bodies govern them? In this episode, Christian Espinosa and Trevor Slattery unpack the complex regulatory environment surrounding medical device cybersecurity.

Episode 02

Hidden Vulnerabilities in Medical Devices: Why Cybersecurity Matters

With MedTech leader

How vulnerable are current medical devices to cyberattacks, and what are the consequences of these exploits? In this episode, Christian Espinosa and Trevor Slattery discuss the critical vulnerabilities in medical devices and the cybersecurity threats they face.

Episode 01

Cybersecurity for Medical Devices: Protecting Human Lives

With MedTech leader

How do medical device cybersecurity risks differ from traditional cybersecurity threats? In this episode, Christian Espinosa and Trevor Slattery discuss the critical importance of cybersecurity for medical devices, sharing real-life stories and insights into how device vulnerabil

About the show

What we cover

Built for regulatory and quality leaders, product security engineers, MedTech founders, and clinical IT teams who need to make sense of FDA, EU MDR/IVDR, and international cybersecurity expectations, without the marketing fluff.

FDA premarket cybersecurity (510(k), De Novo, PMA)
Section 524B and the February 2026 final guidance
Threat modeling for connected devices
SBOMs and supply chain risk
Postmarket vulnerability management and CVD
Real-world deficiency letters and how to close them

Hosted by Christian Espinosa & Trevor Slattery - practitioners running FDA submissions, threat-modeling sessions, and pen tests for real device manufacturers.

Browse by topic

Jump to what matters for your role.

Frequently asked

MedTech cybersecurity, answered.

Quick answers to the questions we hear most from product security, regulatory, and engineering teams.

From the studio to your submission

Bring this rigor to your next FDA submission.

Book a 30-minute strategy session - we'll map the lessons from the show to your actual device, timeline, and gaps.

Book a strategy session Pitch a guest

30-minute call · Fixed-fee proposal in 24-hours · No sales pressure.

Prefer video? Watch our on-demand webinars or browse written field guides.

Pitch a guest

Know someone listeners need to hear from?

We feature founders, regulatory leads, security researchers, and clinicians shipping connected medical devices. Tell us what they'd bring to the show.