How well does your security strategy cover the entire product lifespan—from concept to decommissioning?

This episode dives into the importance of the Total Product Lifecycle (TPLC) and Secure Product Development Framework (SPDF) in medical device cybersecurity. Christian and Trevor share stories, best practices, and pitfalls from real-world cases involving update security, insecure development environments, and overlooked decommissioning risks.

Key points:

(1:50) Intro to TPLC and SPDF

* The importance of TPLC and SPDF in secure development.

(7:00) Update Vulnerabilities and OTA Risks

* An example of compromised keys in an otherwise secure over-the-air (OTA) process.

* Trade-offs between update convenience and security.

(12:16) Threat Modeling

* Threat modeling’s application to development environments.

* The overlooked risks of data storage locations and natural disasters.

(17:24) Infrastructure Challenges

* How clients struggled with infrastructure across hospital environments.

* How scripts and hardcoded passwords can introduce risk.

(19:56) Building a SPDF That Works

* Best practices: coding standards, multi-layer review, and automated testing.

* Secure development is like planning for your own death—it’s hard, but necessary.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/

Christian Espinosa on YouTube:

How can medical device startups avoid missteps in cybersecurity, quality, and compliance?

In this episode, Trevor Slattery speaks with Ashkon Rasooli about the intersection of quality systems and cybersecurity in medical devices. They unpack why treating cybersecurity as a bolt-on checklist is ineffective and even dangerous. They also discuss regulatory realities, risk management frameworks, and how early-stage teams can avoid costly pitfalls by planning smarter from the start.

Ashkon Rasooli is the CEO of EnGenius Solutions, a boutique consulting firm focused on medical device software development. With a background in both hands-on coding and compliance, Ashkon helps medtech startups navigate quality systems and regulatory strategy.

Key points:

(0:31) Why Regulations and Cybersecurity Are Intertwined

* How EnGenius helps small medtech companies plan early.

* Challenging the idea that cybersecurity and QMS are separate disciplines.

(7:12) Planning Cybersecurity Early

* Business model, product design, and geography all shape your compliance path.

(12:16) Culture Over Checklists in MedTech Security

* Ashkon’s “Non-BS Manifesto” based on Agile principles.

* Real-world examples of ransomware causing patient harm.

(20:38) Why Probabilistic Risk Scoring Falls Short

* How exploitability trumps probability in FDA guidance.

* How cybersecurity attackers differ from typical safety failures.

(28:14) Planning Compliance

* Dick Cheney’s pacemaker becomes a cautionary tale of targeted threats.

Thanks to Ashkon Rasooli for being on the show. Connect with him: https://www.linkedin.com/in/ashkonrasooli

Check out EnGenius Solutions: https://www.engeniussolutions.com

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Trevor Slattery on LinkedIn:

Why is cybersecurity labeling more than just a compliance checkbox for medical device companies?

In this episode, Christian and Trevor dive into the nuanced world of cybersecurity labeling for medical devices. They discuss the role of MDS2 and JSP2 documentation, labeling misconceptions, and how manufacturers can best disclose security information without overwhelming or misleading users.

Key points:

(6:30) Misconceptions About Cybersecurity Labeling

* Many manufacturers worry that disclosing risks will aid hackers, but that's flawed thinking.

* Distinctions between labeling as documentation and labeling as a control like a tamper-evident seal.

* Everyday product examples to illustrate why transparency in labeling matters.

(12:45) How Much Detail Is Enough?

* How deep a manufacturer should go with disclosures about encryption and risk.

* Why more detail is generally better and how to balance tech jargon with user readability.

* Different labeling needs based on whether a device is for consumers or hospitals.

(18:20) Context, Risk, and Communication

* Why not encrypting unnecessary data can backfire if a consumer is misinformed.

* How labeling must be contextual and tailored to a device’s function and data sensitivity.

Resources mentioned in this episode:

* The Manufacturer Disclosure Statement for Medical Device Security (generally abbreviated as MDS2).

* The Medical Device and Health IT Joint Security Plan, version 2 (JSP2).

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage:

Med device manufacturers, are you setting up your quality system early enough in product development? Also, are you misunderstanding the FDA’s "guidance" documents—and risking rejection?

Today’s guests are Mark Swanson and Steve Gompertz of QRx Partners, and they’re passionate about helping medtech companies dodge the regulatory and quality pitfalls that derail so many startups. This episode explores how to classify your device properly, why cybersecurity documentation is required even for isolated software, and the evolving role of AI in medical technology.

Key points:

(02:11) Startup Failure and What QRx Solves

* Why many early-stage medtech startups fail.

* Startup optimism is contrasted with the harsh funding and regulatory realities.

(12:16) Classification Chaos and Regulatory Missteps

* The confusion around FDA’s product code database.

(17:55) AI and Quality Systems

* What qualifies as actual AI vs. marketing fluff.

* How regulators handle AI in submissions.

(31:22) National Vs State Regulations

* The critical need for manufacturers to understand state regulations.

* Why quality and regulatory planning must precede design.

Thanks to Mark Swanson and Steve Gompertz for being on the show.

Connect with Mark on LinkedIn: https://www.linkedin.com/in/markswansoncmq

Connect with Steve on LinkedIn: https://www.linkedin.com/in/stevegompertz

Learn more about QRx Partners: https://www.qrxpartners.com

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Feedback? Questions? Contact:

What should you do when a vulnerability is discovered in a medical device after it's already on the market?

This dives into post-market management and incident response for medical devices, exploring what happens when a device is hacked or a vulnerability is reported. Christian Espinosa and Trevor Slattery discuss the processes involved in identifying, triaging, and remediating vulnerabilities, emphasizing the unique challenges faced in the medical device sector.

Key points:

(8:01) Sources of Vulnerabilities and Tracking

* There are various sources for discovering vulnerabilities, including software bill of materials, CISA-CAV, annual penetration tests, coordinated vulnerability disclosure databases, etc.

* Standards and guidance for post-market management, including TIR-97 and FDA guidance.

(13:08) Managing False Positives and Risk Triage

* False positives are instances where a testing tool or scanner indicates a problem that doesn't actually exist.

* The critical importance of thoroughly investigating false positives in the post-market phase to avoid unnecessary fixing non-issues.

* The triage process for vulnerabilities.

(21:11) Exploitability and Coordinated Vulnerability Disclosure

* How exploitability factors, like authentication levels, proximity, and attack complexity, can change in the post-market phase.

Resources mentioned in this episode:

* TIR-97: AAMI standard for post-market cybersecurity management

* FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage:

What does responsible AI implementation look like in medical devices?

This episode explores the intersection of AI, cybersecurity, and medical device regulation with guest Matt Lemay, CEO of Lemay.ai. Hosts Christian Espinosa and Trevor Slattery of Blue Goat Cyber dig into how AI models are trained, certified, and deployed in clinical contexts—and what can go wrong.

Key points:

(7:29) Data, Security, and Deployment Risks

* Training data inconsistencies and data drift in AI models.

* Cybersecurity concerns tied to cloud deployment and version control.

(11:48) Can AI Prescribe Medication?

* Legal and liability implications of AI autonomy in healthcare.

(22:35) Risks and Regulation

* Expectations for AI-enabled device regulations in the EU and US.

(33:35) AI Answers

* Thoughts on how AI has a hard time admitting it doesn't know the answer to something.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Thanks to Matt Lemay for being on the show. Connect with Matt on LinkedIn: https://www.linkedin.com/in/mnlemay/

Lemay AI: https://www.lemay.ai/

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial

The Med...

What documents should engineers prepare to get ready for submitting a medical device to the FDA?

In this episode, Christian and Trevor dig into the underestimated role software documentation plays in cybersecurity, especially in the medical device space. They highlight how incomplete or contextless documentation can hinder everything from SBOM utility to regulatory compliance. With sharp insights and real-world examples, they make the case for elevating documentation as a strategic priority.

Key points:

(00:43) The Real Purpose of Documentation

* Software documentation is often seen as a checklist item rather than a strategic tool.

* Good documentation enables continuity and reduces knowledge silos.

(07:04) Security Starts with Documentation

* A lack of context in software can undermine their usefulness for vulnerability management.

* Documentation quality links with product security posture and incident response readiness.

(13:41) Regulation and Standards for Medical Device Documentation

* Documentation shouldn’t only meet minimum regulatory requirements.

* Strong documentation supports faster and safer decision-making during audits or breaches.

(18:11) Best Practices

* Trevor lists areas where developers consistently miss documentation opportunities (e.g., deprecated functions, third-party code).

* Christian outlines how consistent, contextual documentation helps new team members come up to speed.

(23:59) FDA Requirements

* The hosts recommend integrating documentation into sprint planning and CI/CD pipelines.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast.

Subscribe via Spotify: https://spoti.fi/3XX95g0

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts

This episode was produced by Story On Media: https://www.storyon.co/

How can human-centered design influence medical device cybersecurity?

In this episode, Christian Espinosa chats with Dylan Horvath of Cortex Design about the powerful intersection of human-centered design and medical device cybersecurity. They explore how usability, trust, and empathy can shape safer, smarter devices from the start. Dylan also shares valuable insights into building design teams, learning from failure, and driving innovation in regulated industries.

Dylan Horvath is a passionate industrial designer who’s spent decades shaping how people interact with technology. As the founder and CEO of Cortex Design, he’s all about blending creativity and engineering to build medical devices that actually work for people.

(00:30) Design Thinking in MedTech

* Christian and Dylan discuss the similarities between design and cybersecurity.

(07:08) The Design Process

* How psychological safety and curiosity are foundations for team success.

* Cortex’s lean, iterative process and fast prototyping.

(14:18) Lessons Learned

* Dylan reflects on design failures and what they taught him.

* The balance between regulation and innovation in MedTech.

(21:26) Security and Usability

* Dylan’s thoughts on how threat modeling could better include design teams.

* The trade-offs between usability and strong security in med devices.

(26:36) Design Challenges

* User experience is critical, and overlooking it can lead to products that are difficult to use and unappealing to the market.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Thanks to Dylan Horvath for being on the show. Connect with Dylan on LinkedIn: https://www.linkedin.com/in/dylan-horvath/

Learn more about Cortex Design: https://cortex-design.com/

Christian Espinosa is the CEO and founder of Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy