Christian Espinosa, founder of Blue Goat Cyber and leading voice in medical device cybersecurity, joins Etienne Nichols to unpack the urgent and often misunderstood topic of cybersecurity in MedTech. From FDA’s 2023 regulatory overhaul to real-world hacking scenarios that could harm patients, Christian provides practical advice for innovators, RA/QA professionals, and software teams. He also shares why waiting until the last minute on cybersecurity could cost startups millions—or even kill a project entirely.

Whether you're a quality professional trying to build compliant systems or an innovator racing toward FDA submission, this episode lays out exactly what you need to know to stay ahead of cyber threats and within regulatory guardrails.

Key Timestamps:

• 00:01 – Intro to guest Christian Espinosa and Blue Goat Cyber
• 06:28 – Why medical device cybersecurity is different from traditional IT security
• 11:49 – Real-world hacking example: acne laser device turned skin-burner
• 13:57 – FDA expectations post-September 2023: what changed
• 17:12 – Secure boot: a microcontroller mistake that derailed a launch
• 20:35 – Common cybersecurity vendor mistake MedTech companies make
• 23:40 – SBOM: Software Bill of Materials and why it's legally critical
• 27:58 – Cyberattacks in hospitals: assuming a hostile network
• 35:44 – AI in medical devices: data bias and cybersecurity challenges
• 41:10 – Developers ≠ cybersecurity experts: the training gap nobody talks about
• 45:20 – What RA/QA professionals need to know now
• 49:30 – Why cybersecurity must be iterative, not a final-phase add-on
• 55:20 – Espinosa's final advice for MedTech professionals
• 57:52 – The story behind “Blue Goat Cyber”

Standout Quotes:

“Cybersecurity for medical devices isn’t about data breaches—it’s about patient harm. You could paralyze someone or misdiagnose sepsis. This isn’t theoretical.”— Christian Espinosa, on the real risks of insecure devices
“Most developers don’t understand cybersecurity. We assume they do—but that’s like expecting an architect to be a locksmith.”— Christian Espinosa, on why so many devices fail security assessments

Top Takeaways:

1. Cybersecurity isn’t just about data—it's about patient safety. From burning skin to missed sepsis diagnoses, vulnerabilities in devices have real-world harm potential.
2. FDA now requires more than just a basic security plan. Post-September 2023 rules mandate testing (SAST, DAST, fuzzing), SBOMs, and risk assessments tied to patient harm.
3. Start cybersecurity planning during the requirements phase. Hardware like microcontrollers must support secure boot and other protections—retrofits can cripple product plans.
4. Iterate cybersecurity like any core development activity. One-time testing near submission is too late; build security into your pipeline just like QA or usability.
5. Traditional cybersecurity vendors aren’t enough. Many fail to meet FDA’s nuanced expectations for medical devices, causing costly submission rejections.

References & Resources:

• Christian Espinosa on LinkedIn
• Blue Goat Cyber
• Etienne Nichols on LinkedIn

MedTech 101 – Understanding SBOM (Software Bill of Materials):

Think of an SBOM like a nutrition label on food. Just as you want to know if a product contains allergens or preservatives, FDA wants to know what libraries and components are in your software. A clean, complete SBOM identifies both security vulnerabilities and potential licensing conflicts—like borrowing ingredients you’re not legally allowed to use. Want a visual explanation? Consider a flowchart showing third-party libraries linking into your main software repository, flagged with vulnerability scores.

Poll Question:

Is cybersecurity currently integrated into your product development process—

A) From Day 1

B) Only near submission

C) We outsource and hope for the best

D) What cybersecurity?

What’s your biggest challenge when it comes to building cybersecurity into your product lifecycle? Email us your thoughts at [email protected].

Feedback:

If this episode sparked new insights or raised questions, we’d love to hear from you. Send us your feedback or suggest a topic at [email protected]. We personally respond to every email and appreciate your ideas for future guests and discussions.

Sponsored by Greenlight Guru:

Most companies spend more time preparing for audits than in the audit itself. Greenlight Guru Quality lets you link cybersecurity and quality evidence directly to requirements, making you “always audit-ready.” Learn more at www.greenlight.guru.