00:00:06 Shreya: What is the biggest threat to your health? It's not disease, but a silent vulnerability inside the device meant to keep you safe. Because today, healthcare is not just doctors and hospitals. It's software's sensors and systems making life or death decisions. And the question is, are we protecting patients as seriously as we protect products? Let's talk about the medical device cybersecurity without fear, without jargon, and just what matters. Welcome

00:00:38 Shreya: back to the Wellness Reimagined, where we explore what wellness looks like when you zoom out and you just get curious about the system science and the human side of health. I'm your host Shreya. And today we are talking about the medical device, cybersecurity, what it is, why it matters and how it impacts real patients in real moments. Our guest is Cristian Espinosa, founder and CEO of Blue Goat Cyber, helping make tech teams reduce FDA cybersecurity delays with practical evidence support. After a serious health scare, his work became deeply personal, protecting patients through safer medical technology. And by the end of this episode, you will understand what actually at stake where the most teams get stuck and what good looks like in a way that's grounded and doable. Welcome, Cristian. I'm honored to have you on my show.

00:01:35 Christian Espinosa: Thanks so much for the great intro, Shreya, I appreciate it.

00:01:38 Shreya: And Christian, before we get into like technical, I want to start like human. What was the moment you realized that this is not just an IT problem. This is a patient safety problem.

00:01:53 Christian Espinosa: Well, I think the moment it was crystallized for me was when I was the patient. It wasn't abstract anymore. Uh, in twenty twenty two, twenty twenty two, I had just finished working out and I developed some pain in the back of my left leg, and a friend of mine told me to go to the hospital. She said I may have blood clots, but I would. I was really in good shape, so I didn't think that was possible, but I. So I took her advice and went to the hospital, to the emergency room, and, uh, thanks to a portable Doppler ultrasound medical device, they detected not just one, but six blood clots in my left leg. So if that device, uh, was recalled or gave a misdiagnosis because of cyber security, then I wouldn't be here. So it's very, Um, real to me because, uh, like I said, I was the patient in this scenario, relying on medical technology to help diagnose me. And like I said, I, I may not be here if it wasn't for that device.

00:03:02 Shreya: Yes. I think that shifts from abstract risk to personal responsibility, uh, changes how you show up. And when people hear medical device cybersecurity, they often imagine hackers in hoodies and Hollywood drama. In your experience, what is the most common misconception that keeps teams, uh, from taking the right action?

00:03:28 Christian Espinosa: The most common misconception with medical device cybersecurity is that it's about data protection. People still think it's about protecting health information sensitive data that is important, but it's less important than patient safety. The lens we need to look at with medical devices and cybersecurity is if somebody can hack into a device or compromise a device, what harm can they do to the patient? And we need to make sure that that can't happen. And it's not just a harm. Like you could hack into surgical robot performing surgery on somebody's spine and maybe paralyze a person. Uh, you could give a misdiagnosis as well for an in vitro diagnostic system, diagnostic system that is checking for sepsis. And if you delay treatment to sepsis, somebody could die or be seriously injured. So it's we have to look at it through the lens of what is the harm. It's not just the data and a good scenario. I like to give if you have an implantable defibrillator and pacemaker and there's a vulnerability and they there have been vulnerabilities where someone's been able to do this in the past. If somebody can remotely connect to your defibrillator and shock you to death. Shock your heart to death. You probably care more about that than if they're also stealing your sensitive data. At the same time, you can recover from your sensitive data being stolen, but you can't recover from death at least. At least not yet.

00:05:00 Shreya: And when the misconception shows up inside a company, how does it usually sound? It is, uh, like is it? Well, deal with, uh. Well, deal with it later. Uh, the device is not connected. Uh, that, uh, the vendor's job. Uh, what is the narrative you hear the most?

00:05:24 Christian Espinosa: A combination of what you said. We here will deal with cybersecurity later. We don't need to consider it right now. Uh, which is a misconception as well. Cybersecurity needs to be designed into the product, not bolted on at the end because it's not effective if you try to add it later on and it costs a lot more money, a lot more redesign. That's a very common one. And then the other common thing we hear is a lot of people think their device does not need cybersecurity. So technically, any device with software and any way to connect to it needs to go through cybersecurity testing and risk analysis and all the things required from a cybersecurity perspective. And where this gets a little confusing to people is it doesn't have to be directly connected to the internet. If your device is a patient monitoring system that has a USB port where somebody can plug a USB stick into it, they could potentially infect that device through malicious software on that USB drive. So that device needs to go through cybersecurity testing. Same thing. If you have a device that communicates via Bluetooth, that is an entry point that an attacker can use to compromise the software on your device.

00:06:45 Speaker 3: I think that's.

00:06:46 Shreya: Such an important reframe because cyber security is not a cinematic threat. I think it's a design reality. And when teams misunderstand the risk, they don't just delay the security, they delay the trust. And what are the deeper patterns that create weak security in medical tech? Like is it speed to speed, market pressure, unclear ownership, lack of training, legacy. Uh, what is the, uh, like? What is really driving it?

00:07:17 Christian Espinosa: I think the main driver is simply a lack of awareness in a, in some common misunderstandings. One of them is there's this idea that software developers understand cybersecurity. In my experience, ninety nine percent of software developers do not understand cybersecurity, but those same ninety nine percent will tell you they do. And it's a very different skill set. You can't expect somebody to know everything. A software developer is hired to develop software that is functional, that looks good, that works. A cybersecurity firm is hired to break the software. We're trying to make it do things it's not supposed to do. We're trying to create situations where that weren't intended with the software, and we look at it through a very different lens. So it's a very different skill set. And that is one of the biggest challenges, I feel, especially like on a sales cycle. Um, and just talking to people in industry, they'll say, well, our software developers, uh, they got a cybersecurity person on staff or they know cybersecurity. But from my experience, that is rarely ever true.

00:08:28 Shreya: Yes, I can really understand your perspective because I also studied computer science, uh, in my college. And then I studied, uh, for PG diploma, cyber security. So, uh, I, I can actually understand that these two things are completely different, but people mostly doesn't understand. I think if you are a software developer, you study software, then you will know everything about cyber security, which is definitely not. And also.

00:08:54 Christian Espinosa: Right. Well, if, if software developers new cybersecurity, as good as they say they do, we wouldn't have as many incidents as we do today, right? There's a new hack every single day. So if they had it figured out, we wouldn't be having these this many data breaches and things.

00:09:10 Speaker 3: Yes.

00:09:11 Shreya: And also, if you had to point to like one early decision in product development that tends to create the biggest downstream cyber security pain later, then what would it be?

00:09:25 Christian Espinosa: Yeah. With cyber security, it needs to be considered from design until disposal. So the whole the what we call the total product lifecycle. And if it's not considered later on, it can cause major problems. Like we worked with manufacturers that did not think about what the hospital would do with their device when it was in their life. So the hospitals were just selling the devices, the old equipment and the devices had patient data on a hard drive that was not encrypted. So it had a major downstream effect. So we have to look at the entire lifecycle and how the device is going to be designed, how it's going to be used, how it's going to be maintained, how it's being governed, and how it's going to be disposed of eventually, and have all those use cases covered throughout the entire lifecycle.

00:10:21 Speaker 3: Yeah.

00:10:21 Shreya: So it is not just add security, it's choose a mindset early because once something is built, security becomes a retrofitting. And I think retrofitting in healthcare is so costly and slow and stressful also. And also, without getting alarmist, can you paint a realistic picture of how medical device cyber risks show up in the real world? Like what are the everyday failures modes? People don't realize are connected to security.

00:10:57 Christian Espinosa: They show up on a daily basis. Uh, hospitals and healthcare delivery organizations are very unsecure and they're compromised very often. So if there's malicious software that is propagating a hospital environment and there's a medical device on that environment that has a vulnerability, it's highly likely that that medical device will be compromised as well. And we have to think about it from the perspective. On average, there's fourteen medical devices connected to a patient bed or surrounding a patient bed in a hospital. So that's fourteen devices that may have a vulnerability. And if there is a malicious actor that's trying to make money through ransomware, and that ransomware happens to hit one of those devices that a patient's life depends on, like, let's say it's a patient monitoring system monitoring their vitals. Then then that is a major problem. And it's not just a problem for that specific patient. It, it disrupts the clinical workflow because now you mentioned trust earlier. Now the nurses and the doctors no longer trust that equipment and they can no longer use that equipment. So they have to change their workflow, which reduces the, their ability to deliver healthcare at a larger scale, because now they need to spend more time with each patient because they can't trust the system. So that's, that's a, it's a, it's a big challenge. And Unfortunately, there's been some cases where people have lost their life because of medical devices have been compromised. There's one in the UK that happened late last year, where an establishment that was used to process blood got ransomware so they could no longer process blood. A patient that needed a transfusion could no get could not get access to blood. And that patient died. So it's. It's no longer this theoretical thing. It's becoming, uh, a real problem. And it's something we need to treat very seriously because like I said, you can recover from your credit card being stolen or your, your medical records being stolen, but you can't recover if you need a blood transfusion and there's no blood.

00:13:10 Speaker 3: Thank you for.

00:13:11 Shreya: Explaining this so beautifully. And also, when a device company hears that this could affect patients, some people freeze because, uh, I think it feels heavy. So how do you help teams hold the seriousness without spiraling into fear or avoidance?

00:13:31 Christian Espinosa: Well, it's just like anything else with medical technology. Uh, in the past, there have been issues with sterility. As an example, like the device wasn't sterile, somebody got infected and it caused problems. So just like that, uh, we had to address sterility. So now for devices, there's a stability study to make sure if multiple patients use this device, one of them is not going to get infected after the other one. And that the same similar, similar situation that could cause harm or death. So it's just like, just like that, we have to get over these hurdles. These challenges with medical technology and cybersecurity is, is just another one of those challenges we have to look at just like sterility, you know, if somebody can hack into the device or it's on a network that's unsafe or hostile, We like to say what is going to be the impact and what are the safeguards in place to prevent somebody from doing that? And if somebody does hack into the device or it's compromised, what's the response? You know, these things need to be thought through.

00:14:36 Speaker 3: I think that's.

00:14:37 Shreya: A really powerful balance because urgency without panic are, I think panic shots such down good thinking, but grounded urgency creates better systems. And when you say practical evidence ready support for our FDA, what does that translate to for a med tech team listening right now? If they wanted to mature their cyber security posture, where should they start?

00:15:08 Christian Espinosa: They should start immediately. And this is a challenge in the industry. This is a challenge that we are trying to bring some awareness to. A lot of people think cybersecurity is like a point in time study or point in time activity. You do so on a medical device product roadmap. They think, okay, I'm going to do cybersecurity in Q4 twenty twenty six. As I mentioned, it needs to be done from design to disposal, not a point in time study. It's an iterative process. And what we always recommend is when somebody has proven their product is going to work, they've got the minimum viable product proven, there's a market fit, and they're starting to develop the the true product. That's when they should be speaking to us, because a simple design decision that they may make now could cost a lot of money later on. And we've had clients that chose a specific piece of hardware, a microcontroller, like three years ago that came to us that did not support the cybersecurity requirements. So then they had to remove almost all the features of their device. They had to come up with a new story to share to their shareholders because they're a publicly traded company, and it really set them back. So it's if people come to us early in our consulting service is around five thousand US dollars, so five thousand US dollars can literally save you five hundred thousand dollars later on and rework delays, delays, uh, competitive advantages that are lost. Uh, so redesigns, so we just recommend, just have an initial conversation, if not with us, with somebody else as a cybersecurity expert in the, in med tech, because med tech, medical device cybersecurity is very different. It's highly regulated. It's about patient safety. It's very different than traditional cybersecurity as well, which is more about data protection.

00:17:12 Shreya: I love that the way you explained it. I really love it. And also in the cyber security world, setbacks happens like new vulnerabilities, shifting FDA expectations, product updates, post-market surprises. What does resilience look like for a med tech team so they can sustain security over time?

00:17:36 Christian Espinosa: Yeah, I just spoke about this a couple weeks ago in Dubai, actually. I think it's a very important topic to discuss. A lot of people think a lot of medical med tech innovators think once I get my device cleared by the FDA or MDR in Europe, that's that's all we need to do. But what the healthcare delivery organizations expect, they expect the device to be able to be governed because they have their taking responsibility by putting it on their environment. So they want to make sure they can manage this device. They can operationalize it. It doesn't disrupt clinical workflows that if there is an incident, they can respond to it at scale. And they want to have that traceability and that trust with the manufacturer. And it's starting to become more of a gate now because before a hospital, as an example, would accept a medical device on their environment, they want to see all these things in place. They want to make sure you can it can be updated remotely. If there's an incident, they want to make sure it can be governed, it can be put on their environment properly. And they also want to see proof that it was designed securely as well. They want to see evidence of that. They're no longer just accepting somebody's word. They want to see the actual proof and they want that traceability.

00:18:56 Speaker 3: Yeah, I think that's right.

00:18:57 Shreya: There is the heart of it. Like security is not a finish line. It's a care in motion. It's it's ongoing stewardship. And also, like, I have a reflection question for someone who is listening and who is thinking, this feels big and I'm scared. We are behind. What do you want them to remember? So they take the next step. Instead of shutting down.

00:19:23 Christian Espinosa: I think we just need to keep perspective. With any advancements in technology, there's going to be challenges here. I live in Phoenix, Arizona, United States. We have autonomous driving vehicles. Waymo's. There's challenges with those. There's use cases that they're not, they don't know how to respond to. So a human has to take it over periodically. With medical devices, especially as we're migrating towards autonomous medical devices, I think we need to always have the ability to have a human involved to, to take over the device if necessary. And like anything else, we're going to have a few hiccups as we're expanding medical technology. But the benefits, the ones I've seen like by far outweigh any risk. I mean, we, I see new technologies come to market every single day that a really altering humanity in a positive way. And there might be a couple hiccups, but compared to the benefit, those are very minor and they're not minor to the person. Obviously, the incident happens to and that's what we want to address. But from a humanity impact perspective, these technologies are really are really driving us forward. Even like, you know, neurotech brain computer interfaces, there's all kinds of things that are really helping people's lives become a lot more fulfilling. And a lot people that live a lot healthier and longer.

00:20:46 Shreya: if there is one takeaway from today's conversation is that medical device cybersecurity is patient care translated into system decisions and follow through. if after this, my listeners want to connect with you and want to know more about your work and about the tech world, then where can they find you?

00:21:06 Christian Espinosa: They can find me on my company's website, Blue Goat cyber dot com. I'm also very active on LinkedIn and other social media. LinkedIn is probably the primary spot.

00:21:17 Speaker 3: Yes, and I will.

00:21:17 Shreya: Make sure to attach all these details and links below so that the listeners can find them easily and get in touch with you. And for my listeners, thank you for listening to the Wellness Reimagined. If today's episode sparked something, maybe a new awareness, maybe a deeper respect for the invisible work that protects patients, then take a moment and sit with that. And if you want more conversation like this, where wellness is not reduced to trends but expanded into truth, then follow the show. It helps you keep learning in a new way that's grounded, human, and actually useful. I'm Shreya and I will see you in the next episode. Until then, take care. Take care of what? Take care of you and do not forget to hit the follow button. Subscribe and feel free to share your thoughts with us. Your ears deserve premium content. Thank you.