Sign up to save your podcasts
Or
Share Prevention Is Better Than Cure: Applying Medical Principles to Medtech Cybersecurity
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Prevention Is Better Than Cure: Applying Medical Principles to Medtech Cybersecurity
Medical device risk assessments are failing patients, not because the process is too hard, but because nobody doing the assessment has ever been in the room where the device actually gets used.
Medtech quality and regulatory leader Stephen Smith describes sitting in a risk session for a device going into an intensive care unit. Twelve people in the room, and not one had ever set foot in an ICU. If you have never been in the environment your device will operate in, risk identification becomes guesswork, mitigations get written for problems that are not the actual problems, and the device goes to market with gaps that stay hidden until something goes wrong.
This episode covers why the user environment is the most consistently ignored variable in medical device development, and how that same gap shows up in cybersecurity risk assessments.
Also discussed: the $5,000 problem that gets rationalized today has a way of becoming the $500,000 crisis that cannot be ignored tomorrow, and what this argument actually looks like in practice.
Stephen also explains why CE marking proves you passed an audit and why FDA clearance does not mean the FDA approved your device.
Worth listening to if you are focused on medtech quality, regulatory, or cybersecurity.
Episode Breakdown:
- 00:00 Opening quote
- 00:47 Intro and guest background
- 04:14 QA vs RA vs QC
- 06:00 Cybersecurity in quality systems
- 08:30 Risk as the foundation
- 11:20 Ignoring clinicians and user environments
- 13:00 ICU risk assessment example
- 14:19 Startups and product market fit
- 15:30 Key Opinion Leaders
- 16:47 Companies hiring comfortable consultants
- 18:30 $5,000 vs $500,000
- 20:00 Why quality and cybersecurity are invisible
- 22:00 What regulators actually review
- 22:54 Self-signed certificates
- 24:30 Cybersecurity speed vs regulation speed
- 26:30 CE marking is not a quality guarantee
- 27:00 Lost instructions for use
- 28:40 Cleared vs approved
- 29:45 Prevention is better than cure
- 31:00 Final advice
- 32:00 Racing analogy
The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry.
Learn more by visiting https://bluegoatcyber.com
If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session
Christian Espinosa is the CEO and Founder of Blue Goat Cyber.
Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.
Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/
Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/
Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/
Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/
Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1
View all episodes
By Blue Goat CyberMedical device risk assessments are failing patients, not because the process is too hard, but because nobody doing the assessment has ever been in the room where the device actually gets used.
Medtech quality and regulatory leader Stephen Smith describes sitting in a risk session for a device going into an intensive care unit. Twelve people in the room, and not one had ever set foot in an ICU. If you have never been in the environment your device will operate in, risk identification becomes guesswork, mitigations get written for problems that are not the actual problems, and the device goes to market with gaps that stay hidden until something goes wrong.
This episode covers why the user environment is the most consistently ignored variable in medical device development, and how that same gap shows up in cybersecurity risk assessments.
Also discussed: the $5,000 problem that gets rationalized today has a way of becoming the $500,000 crisis that cannot be ignored tomorrow, and what this argument actually looks like in practice.
Stephen also explains why CE marking proves you passed an audit and why FDA clearance does not mean the FDA approved your device.
Worth listening to if you are focused on medtech quality, regulatory, or cybersecurity.
Episode Breakdown:
- 00:00 Opening quote
- 00:47 Intro and guest background
- 04:14 QA vs RA vs QC
- 06:00 Cybersecurity in quality systems
- 08:30 Risk as the foundation
- 11:20 Ignoring clinicians and user environments
- 13:00 ICU risk assessment example
- 14:19 Startups and product market fit
- 15:30 Key Opinion Leaders
- 16:47 Companies hiring comfortable consultants
- 18:30 $5,000 vs $500,000
- 20:00 Why quality and cybersecurity are invisible
- 22:00 What regulators actually review
- 22:54 Self-signed certificates
- 24:30 Cybersecurity speed vs regulation speed
- 26:30 CE marking is not a quality guarantee
- 27:00 Lost instructions for use
- 28:40 Cleared vs approved
- 29:45 Prevention is better than cure
- 31:00 Final advice
- 32:00 Racing analogy
The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry.
Learn more by visiting https://bluegoatcyber.com
If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session
Christian Espinosa is the CEO and Founder of Blue Goat Cyber.
Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.
Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/
Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/
Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/
Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/
Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1