How can security architecture views strengthen a medical device manufacturer’s FDA submissions?

This episode/webinar dives into the four critical security architecture views required by the FDA: global system, multi-patient harm, updatability and patchability, and secure use case views. Christian Espinosa and Trevor Slattery explain how each view strengthens product security while aligning with regulatory expectations. They also share practical strategies and examples, from cloud environments to physical updates, highlighting how proper documentation and foresight can mitigate real-world risks.

Highlights:

(01:19) Learn why the FDA requires four specific security architecture views and how they support threat modeling.

(03:10) Understand how integrating security into architecture views reflects secure coding and DevSecOps practices.

(04:15) Discover how global regulators beyond the FDA use similar documentation requirements.

(07:52) Explore why global system views must include both software and hardware components as well as data flows.

(11:02) The distinction between global system views and multi-patient harm views.

(14:36) Common vulnerabilities like hard-coded credentials that can lead to multi-patient harm.

(19:18) The risks of over-the-air updates versus physical updates for medical devices.

This episode was brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/

Christian Espinosa on YouTube:

How can AI literacy reduce patient risk in healthcare settings?

In this episode, Christian Espinosa and Trevor Slattery are joined by Dr. José Acosta. Together, they unpack the promise and pitfalls of artificial intelligence in healthcare—from the accuracy gap in diagnostics to the importance of ethics, alignment, and training. The conversation explores how clinicians can harness AI safely, ensuring innovation never comes at the cost of patient trust or care quality.

Dr. José Acosta is a retired Navy trauma surgeon turned AI literacy advocate. With decades of experience in medicine and leadership, he’s now helping clinicians understand AI—from how it works to how it should be used responsibly.

Key points:

(00:57) José’s background as a Navy trauma surgeon and his passion for AI literacy.

(02:53) What “AI literacy” really means.

(05:00) Why precision matters in medicine, and why 85–95% accuracy in AI models isn’t enough when lives are on the line.

(11:20) A chilling example of an AI therapy app that gave a fatal recommendation.

(14:16) José predicts a surge in “ambient AI scribes” and explains how they’ll reshape physician workflows.

(17:53) AI’s productivity paradox—how new tools can both help and overwhelm clinicians.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cybercriminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Thanks to José Acosta for being on the show. Connect with José on LinkedIn: https://www.linkedin.com/in/joseacostasd/

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage:

MedTech developers and manufacturers, could your medical device unknowingly qualify as a “cyber device”?

In this episode, Christian and Trevor break down what the FDA considers a “cyber device” and why so many manufacturers misunderstand this definition. They reveal how even basic interfaces like USB, HDMI, or Bluetooth can make a device cyber-enabled—and why that matters for regulatory compliance.

Key points:

(00:33) What makes a medical device a “cyber device,” and why confusion persists among manufacturers.

(02:14) How proving a device has zero vulnerabilities is nearly impossible, even with minimal code.

(03:12) Why even a simple USB port can classify a device as “cyber.”

(05:05) Common interfaces (Wi-Fi, Bluetooth, RFID, NFC, HDMI) that make a device cyber-enabled.

(09:23) Implantable devices, like pacemakers, and how protocols such as MedRadio introduce hidden connectivity.

(12:20) A real case where the FDA classified a 3D-printing system as a cyber device due to its software dependencies.

(16:15) Practical advice on removing unnecessary ports or connectivity to avoid cyber classification.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cybercriminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast.

Subscribe via Spotify: https://open.spotify.com/show/5ol62ROdF6mBfwOFqKFHmh

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

This episode was produced by Story On Media: https://www.storyon.co/

In this episode, Christian and Trevor unpack the five most common misconceptions that put medical device manufacturers at risk. From confusing data protection with patient safety to misunderstanding what qualifies as a cyber device, the hosts shed light on the blind spots that cause costly delays and compliance failures. They also explore how medical device cybersecurity differs fundamentally from traditional cybersecurity, emphasizing the need for specialized expertise and early integration of secure design principles.

Key points:

(01:18) Misconception #1: That cybersecurity is only about protecting data rather than patient safety.

(06:04) Misconception #2: That your product isn’t a “cyber device.”

(07:46) Misconception #3: That cybersecurity is a one-time thing to study rather than a full lifecycle process.

(12:17) Misconception #4: That software developers inherently understand cybersecurity.

(19:10) Misconception #5: Thinking that traditional cybersecurity and medical device cybersecurity are the same.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cybercriminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a...

MedTech manufacturers and developers, what happens if your AI-powered medical device makes a terrible, life-threatening mistake?

This episode explores what happens when artificial intelligence in medical devices goes wrong. Christian Espinosa and Trevor Slattery break down the real-world consequences of AI failure, using a tragic mental health chatbot case to highlight the stakes of inadequate oversight. They also examine the EU AI Act, new MDCG guidance, and the ethical, regulatory, and cybersecurity challenges facing innovators in the high-risk medical AI space.

Key points:

(03:02) The EU AI Act and how it intersects with the MDR and IVDR.

(03:55) A real case study involving a suicidal patient and an AI mental health chatbot.

(06:07) How general-purpose AI tools differ from regulated medical AI.

(09:57) Why threat modeling should apply to AI systems.

(12:16) Ethical decision-making in autonomous systems using self-driving car analogies.

(14:02) The Medical Device Coordination Group’s guidance on aligning the AI Act with EU medical device regulations.

(17:10) Shared accountability across regulators, manufacturers, and users for AI oversight.

(18:35) The U.S. still treats AI as a “Wild West” compared to the EU’s stricter approach.

(22:42) Regulators aren’t asking if your AI works—they’re asking how it fails.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/

Christian Espinosa on YouTube:

What are some of the greatest challenges medical device startups face when bringing their products to market?

This episode features Suzy Engwall, a healthcare innovation consultant with experience mentoring startups and guiding hospitals. She joins Christian Espinosa and Trevor Slattery to discuss the hidden roadblocks medical device innovators face—from funding gaps to internal hospital politics to overlooked cybersecurity. Together they unpack the realities of FDA compliance, AI-driven decision support, and why raising cybersecurity awareness early can mean the difference between market success and failure.

Suzy Engwall is a healthcare innovation leader who’s spent the last 20 years shaking up hospitals and mentoring startups. She runs HealthTech Strategies, where she helps founders, investors, and clinicians bridge the gap between big ideas and practical adoption.

Key points:

(04:38) Challenges medtech startups face include funding, go-to-market strategy, and regulatory hurdles, with cybersecurity often overlooked.

(05:56) Why 93% of med tech startups fail.

(08:01) How internal politics within hospitals can derail promising innovations.

(09:32) Hospitals now scrutinize devices for cybersecurity risk beyond FDA approval, raising the bar for manufacturers.

(12:19) Legacy devices often fail modern cybersecurity requirements, forcing redesigns and frustrating manufacturers.

(16:43) AI in diagnostics: who’s responsible when mistakes occur?

(23:24) Why patients rarely question medical devices.

(31:28) Why cybersecurity is often the last thing innovators ask about—and why that mindset must change.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cybercriminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Thanks to Suzy Engwall for being on the show. Connect with Suzy on LinkedIn: https://www.linkedin.com/in/sengwall

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Feedback?...

How safe are the medical devices I rely on, and what are the biggest cybersecurity risks I should know about?

In this episode, the team goes behind the scenes of real-world medical device penetration testing to reveal the 10 most common and dangerous cybersecurity vulnerabilities found in medical devices. The discussion covers practical examples, industry standards, and actionable advice for manufacturers and healthcare organizations.

Key points:

(0:00) Introduction & Penetration Testing Context

(1:29) Why Penetration Testing Matters in MedTech

(5:50) Top 10 Medical Device Vulnerabilities:

1. Hardcoded/Default Credentials – Default passwords, BIOS passwords, and supply chain issues.

2. Unsecured Communication Channels – Lack of encryption, outdated standards, key management, and device constraints.

3. Outdated/Vulnerable Third-Party Components – Software Bill of Materials (SBOM), continuous monitoring, and post-market risks.

4. Improper Access Control – Weak authentication, privilege escalation, and user data exposure.

5. Debug Interfaces Left Enabled – JTAG/UART ports, physical access, and mitigation strategies.

6. Missing/Weak Firmware Integrity Checks – Secure boot, code signing, and white-box testing.

7. Poor Session Management – Session timeouts and session hijacking.

8. Fuzzing Vulnerabilities (Buffer Overflows) – Fuzz testing, buffer overflows, and legacy devices.

9. Lack of Tamper Detection – Audit trails, tamper-evident stickers, and physical controls.

10. No Rate Limiting/Automation Controls – Brute-force attacks, automation, and rate limiting.

(37:26) Secure Product Development Frameworks, and DevSecOps.

(38:04) Regulatory Perspective.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Thanks to Myles Kellerman for being on the show. Connect with Myles on LinkedIn: https://www.linkedin.com/in/myles-kellerman-5763aa22

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube:

How can you prepare your device for future quantum computing risks?

In this episode of The Med Device Cyber Podcast, Christian and Trevor talk with May Lee of CS Life Sciences about the fast-changing world of medical device cybersecurity. They discuss the growing regulatory demands from the FDA, EU, and China, and why cybersecurity can no longer be an afterthought in device design. The conversation also dives into quantum computing, supply chain risks, and how manufacturers can balance compliance with innovation.

May Lee is a medical device consultant at CS Life Sciences who specializes in AI, machine learning, and cybersecurity. With experience ranging from startups to global corporations, she brings a practical perspective on navigating regulations and helping innovators bring safer devices to market.

(03:21) Why cybersecurity is moving from afterthought to design control.

(05:49) Key takeaways from the FDA’s finalized cybersecurity guidance.

(08:04) Comparing U.S. FDA and EU MDR cybersecurity requirements.

(10:44) How quantum computing raises new risks for health data.

(16:26) The balance between compliance, over compliance, and innovation.

(18:23) Differences in regulatory approaches across the U.S., EU, and China.

(28:05) Why third-party supply chain and software components matter for device security.

(32:48) When medical device companies should engage cybersecurity consultants.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Thanks to May Lee for being on the show. Connect with May on LinkedIn: https://www.linkedin.com/in/may-lee-a1b16186/

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books,...