The Med Device Cyber Podcast

Medical device risk assessments are failing patients, not because the process is too hard, but because nobody doing the assessment has ever been in the room where the device actually gets used.
Medtech quality and regulatory leader Stephen Smith describes sitting in a risk session for a device going into an intensive care unit. Twelve people in the room, and not one had ever set foot in an ICU. If you have never been in the environment your device will operate in, risk identification becomes guesswork, mitigations get written for problems that are not the actual problems, and the device goes to market with gaps that stay hidden until something goes wrong.
This episode covers why the user environment is the most consistently ignored variable in medical device development, and how that same gap shows up in cybersecurity risk assessments.
Also discussed: the $5,000 problem that gets rationalized today has a way of becoming the $500,000 crisis that cannot be ignored tomorrow, and what this argument actually looks like in practice.
Stephen also explains why CE marking proves you passed an audit and why FDA clearance does not mean the FDA approved your device.
Worth listening to if you are focused on medtech quality, regulatory, or cybersecurity.
Episode Breakdown:
00:00 Opening quote
00:47 Intro and guest background
04:14 QA vs RA vs QC
06:00 Cybersecurity in quality systems
08:30 Risk as the foundation
11:20 Ignoring clinicians and user environments
13:00 ICU risk assessment example
14:19 Startups and product market fit
15:30 Key Opinion Leaders
16:47 Companies hiring comfortable consultants
18:30 $5,000 vs $500,000
20:00 Why quality and cybersecurity are invisible
22:00 What regulators actually review
22:54 Self-signed certificates
24:30 Cybersecurity speed vs regulation speed
26:30 CE marking is not a quality guarantee
27:00 Lost instructions for use
28:40 Cleared vs approved
29:45 Prevention is better than cure
31:00 Final advice
32:00 Racing analogy

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry.
Learn more by visiting https://bluegoatcyber.com
If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session
Christian Espinosa is the CEO and Founder of Blue Goat Cyber.
Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.
Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/
Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/
Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/
Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/
Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Ten years ago, Singapore's healthcare system got hacked. Patient records were stolen at a national scale. The government responded by building one of the most comprehensive medical device security frameworks in the world.
The Cybersecurity Labeling Scheme has four tiers. Level one means basic security controls exist. Level four means the device underwent independent code review, has advanced threat detection, and maintains continuous vulnerability management. Hospitals can see exactly what level of security they're getting before they buy.
Jun Xiang from CareHero explains why this matters, especially now that AI is showing up in medical devices without proper testing. He covers adversarial attacks on medical images, why doctors are uploading patient data to ChatGPT, and what automation bias does to clinical decision making.
Practical conversation about medical device security in Southeast Asia and what manufacturers need to know about Singapore's approach.
Episode Breakdown:
00:01 Welcome
00:31 Background
01:09 Military service
03:09 AI threats
03:45 23% problem
04:40 X-rays ChatGPT
05:43 Attacks
08:15 Poisoning
11:30 Hallucinations
14:20 AI code
17:45 Vulnerabilities
20:30 Pair programming
23:15 Guardrails
26:40 Automation bias
28:50 AI scribes
31:20 Dialects
34:05 Pre-triage
36:32 Pricing
37:25 Pair programmer
37:40 Human interpretation
The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry.
Learn more by visiting https://bluegoatcyber.com
If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session
Christian Espinosa is the CEO and Founder of Blue Goat Cyber.
Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.
Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/
Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/
Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/
Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/
Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

SBOMs are one of the most common sources of FDA deficiencies in medical device submissions. Most companies think they're doing it right, but then they get feedback asking for missing components or clarification on what's included.
In this webinar, Christian Espinosa and Trevor Slattery explain what the FDA actually expects in an SBOM and why it's not just about listing third-party libraries. You need to include first-party code too. You need to follow the NTIA minimum elements. And you need to provide it in a machine-readable format like SPDX or CycloneDX.
Trevor walks through the history of SBOMs, from their origins in licensing compliance to their current role in medical device cybersecurity. He explains the shift-left approach the FDA wants to see and why transparency matters for healthcare delivery organizations making purchasing decisions.
The webinar also addresses a big concern people have. Does publishing an SBOM give attackers a roadmap to your system? Trevor breaks down why that's not actually a problem if you're managing your security properly.
If you're building a connected medical device or preparing for an FDA submission, this is a clear breakdown of how to get your SBOM right the first time.
Webinar Breakdown:
00:00 Welcome and introduction to SBOMs
00:44 What is an SBOM and why does it matter
03:10 The history of SBOMs: From licensing to cybersecurity
07:20 Why the FDA cares about SBOMs
11:30 The biggest mistake: Leaving out first-party code
15:45 NTIA minimum elements explained
19:20 Machine-readable formats: SPDX and CycloneDX
23:00 Real-world examples: Log4j and Shellshock
26:15 Do SBOMs give attackers a roadmap? The truth
29:40 Common myths about SBOMs
33:50 Key takeaways for FDA submissions
36:20 Q&A session begins
Blue Goat Cyber provides essential cybersecurity solutions for the medical device industry.Learn more by visiting https://bluegoatcyber.com.
If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session
Christian Espinosa is the CEO and Founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.
Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/
Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9
Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/
Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/
Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/
Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Building medical device software is hard. Building it the right way is harder. And getting it through FDA approval while managing cybersecurity requirements? That's what Darcy Bachert has been doing for 17 years.
Darcy runs Prolucid Technologies, an ISO 13485-certified software development firm in Toronto. They work with medtech companies across North America, Europe, and Australia.
And in that time, he's seen the same mistakes repeatedly.
The biggest one? Founders build products that solve problems nobody has. Or they build something physicians won't adopt because it adds complexity instead of making their lives easier.
In this conversation, Darcy talks about IEC 62304 and why it matters when choosing a software partner. The Canadian medtech ecosystem and why Toronto is a major hub. And why quality systems and cybersecurity need to be built in from day one, not added at the end.
This episode is practical if you're building a medical device or working with medtech startups.
Episode Breakdown:
00:01 Welcome and intro
00:30 Darcy's background and Prolucid Technologies overview
01:15 The origin of the name Prolucid Technologies
01:58 Why clarity matters more than code
04:18 Common challenges beyond software development
06:11 Toronto's medtech ecosystem
06:57 IEC 62304 and choosing the right development partner
09:17 ISO 13485 certification and investor confidence
12:04 Realistic timelines for medical device software
15:32 Cost expectations and budget planning
18:45 Building quality systems from the start
21:20 Integrating cybersecurity throughout development
24:15 When and how to do penetration testing
27:30 Cybersecurity mistakes startups make
30:42 The MTI program and Canadian medtech resources
33:18 Canadian vs US medtech markets
36:22 Physician adoption challenges
40:18 Trevor: Don't invent your problem
41:36 Darcy: Find partners who've done it before
43:05 Christian: Balance user adoption with reimbursement

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry. Learn more by visiting https://bluegoatcyber.com.
If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session
Christian Espinosa is the CEO and Founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.
Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/
Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9
Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/
Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/
Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/
Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Marc Zemel has been building Retia Medical for 15 years. The company started as two guys with slides and licensed technology. Now their data-driven hemodynamic monitoring technology for consistently accurate cardiac output measurements in high-risk surgical and critically ill patients is in 75 hospitals across 18 countries, sold by Medtronic in the U.S, and the company is preparing to launch their new product Argos Infinity, pending FDA clearance.
But getting here meant dealing with cybersecurity challenges that Marc didn't see coming. In this conversation, he talks about what actually slowed them down, what he wishes he'd done differently, and why building a proper quality system from day one would have saved him years of pain.
Retia Medical develops algorithms that monitor cardiovascular function. Their technology detects problems before blood pressure drops, which makes it valuable in operating rooms and ICUs. Nurses have gotten so attached to their monitors that they literally hug them because the devices help them do their jobs better.
Marc walks through the specific cybersecurity issues that surprised him. Like how software as a medical device comes with ongoing compliance costs that hardware doesn't have. Or how documentation requirements kept changing as the FDA updated its expectations. Or how retrofitting cybersecurity into an existing product is way more expensive than building it in from the start.
He also shares his philosophy on building companies. He doesn't focus on exits or acquisition targets. He focuses on building something people can't live without. When the product is that good, the rest takes care of itself.
If you're building a medical device startup or dealing with FDA submissions, this is a conversation worth hearing.
Episode Breakdown:
00:00 Introduction
00:32 Where everyone's calling from
02:54 Marc's background and journey into medtech
04:33 What Retia Medical does
07:00 Blood flow vs blood pressure
09:45 Software vs hardware as a medical device
12:30 Cybersecurity challenges
15:20 Documentation nightmares
18:45 Quality systems and why they matter early
22:10 FDA submissions over 15 years
25:30 The cost of retrofitting cybersecurity
28:50 Software updates and compliance
32:15 Build to be bought, not to be sold
37:32 What acquirers look for
39:02 Product market fit: Nurses hugging monitors
41:14 Wearables and future regulations
The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry. Learn more by visiting https://bluegoatcyber.com.
If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session
Christian Espinosa is the CEO and Founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.
Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/
Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9
Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/
Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/
Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/
Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1