Early design decisions define the trajectory of a medical device long before commercialization begins. Choices related to software architecture, third-party components, and system connectivity establish both the opportunity and the risk profile of the product.

Cybersecurity introduces a layer of complexity that many teams underestimate. It extends beyond protecting data and into safeguarding patient outcomes, ensuring system reliability, and meeting increasingly stringent regulatory expectations.

Chris Danek, CEO of Bessel, joins Christian and Trevor to examine how a single overlooked dependency or unsupported component can become a critical vulnerability. In many cases, these issues remain hidden until late-stage testing or FDA review, where remediation becomes significantly more expensive and disruptive.

Effective development requires integrating cybersecurity into requirements, architecture, and validation activities from the outset. Threat modeling, component vetting, and design-level decisions play a defining role in reducing downstream risk.

The organizations that succeed are those that treat cybersecurity as a core engineering discipline. Building secure, scalable medical devices requires alignment between technical execution, regulatory strategy, and long-term product viability.

Episode Breakdown:

• 00:01 Welcome
• 02:54 Impact definition
• 05:16 Security integration
• 07:22 Connectivity requirements
• 12:30 Architecture
• 18:45 Requirements
• 24:20 Development
• 30:15 Certificates
• 36:40 Privacy focus
• 42:50 Risk scoring
• 48:03 Regulators
• 50:55 Thoughts

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry. Learn more by visiting https://bluegoatcyber.com.

If you're interested in our services or partnering with us, schedule a Discovery Session: https://go.bluegoatcyber.com/meetings/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Alarm fatigue happens when monitoring systems raise so many false flags that clinical staff begin ignoring them, even when real critical events occur. A surgeon during an operation gets alarms indicating patient bleeding, but observes stable blood pressure and no visible bleeding. The surgeon trusts direct patient observation over machine output because edge cases require human judgment that AI cannot reliably provide.

Brandon Fertig discusses why patient monitoring systems with visual indicators like the gingerbread man figure help nurses prioritize care without replacing their judgment, how edge cases become more important as automation increases, and why AI in healthcare should focus on efficiency rather than autonomous decision-making.

Alarm noise versus signal, why ground truth patient observation matters more than machine alerts, and how human checkpoints handle situations AI cannot predict.

Practical for understanding AI limitations in clinical settings.

Episode Breakdown:

1. 00:01 Welcome
2. 02:20 IT background
3. 05:03 Leadership
4. 08:33 Skills transfer
5. 12:15 Philips work
6. 16:40 Training
7. 22:30 AI tools
8. 28:45 Checkpoints
9. 34:20 Monitoring
10. 38:50 Quality
11. 40:54 Efficiency
12. 41:24 Judgment
13. 42:38 Advice

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry. Learn more by visiting https://bluegoatcyber.com.

If you're interested in our services or partnering with us, schedule a Discovery Session: https://go.bluegoatcyber.com/meetings/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Devices that do not integrate into the clinical workflow sit unused regardless of technical sophistication. Physicians work in high-pressure environments where equipment must be 100 percent reliable, secure, and enhance workflow rather than disrupt it.

Professor Aamer Ahmed, a Consultant in Cardiothoracic Anaesthesia, Professor of Anaesthesia and Critical Care at the University of Leicester, and co-founder of Hemeo, a medical technology company designing AI-based personalized Clinical Decision Support Systems for coagulation disorders, discusses with Christian Espinosa and Trevor Slattery why involving Key Opinion Leaders at the design stage prevents expensive redesigns, what alarm fatigue does to clinical decision-making, and how legal precedent will determine AI liability as therapeutic recommendations become more common.

He also explains why the best medtech development approach involves spending time in hospitals observing physicians before engineering products, how digital twin models enable personalized clinical predictions, and why common sense is not always common practice in device design.

The discussion offers practical advice for building devices clinicians actually use.

Episode Breakdown:

1. 00:01 Introduction
2. 00:33 Role explanation
3. 02:49 KOL involvement
4. 03:32 Workflow integration
5. 05:36 Seamless design
6. 07:13 Problem-first approach
7. 07:35 Clinical observation
8. 08:45 Digital twin
9. 12:20 IT security
10. 18:30 AI support
11. 22:15 Accountability
12. 26:40 Alarm fatigue
13. 32:10 Liability
14. 34:07 Advice
15. 38:13 Simplicity

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry. Learn more by visiting https://bluegoatcyber.com.

If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Marketing medical devices requires understanding that stakeholders are different, buying processes are longer, and friction points are more complex than consumer products or software. Most companies build websites and attend trade shows hoping prospects will decode their message, but prospects do not have time for that.

Sustained adoption is not the same as initial purchase. It means the device is used continuously with no friction, no concerns, and no barriers, causing users to stop or switch. Getting there requires understanding every stakeholder involved, what questions they have at each stage, and what fears might stop them.

This episode covers how to structure marketing that moves stakeholders through a clear path, why ideal client profile refinement produces better results than broad targeting, and how one advisor identified exact pain points to cut through noise and convert a prospect.

Practical advice for anyone responsible for medtech marketing or go-to-market strategy.

Episode Breakdown:

1. 00:02 Welcome
2. 00:21 Intro
3. 02:15 Origin
4. 04:36 Challenges
5. 06:51 Foundation
6. 07:00 Knowledge gap
7. 09:30 Adoption
8. 11:45 Mapping
9. 15:20 Friction
10. 18:40 Content
11. 22:30 Targeting
12. 26:15 Failures
13. 30:45 Pain points
14. 34:20 Clarity
15. 38:50 Tradeoffs
16. 40:44 Advice

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry. Learn more by visiting https://bluegoatcyber.com.

If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Medical device risk assessments are failing patients, not because the process is too hard, but because nobody doing the assessment has ever been in the room where the device actually gets used.

Medtech quality and regulatory leader Stephen Smith describes sitting in a risk session for a device going into an intensive care unit. Twelve people in the room, and not one had ever set foot in an ICU. If you have never been in the environment your device will operate in, risk identification becomes guesswork, mitigations get written for problems that are not the actual problems, and the device goes to market with gaps that stay hidden until something goes wrong.

This episode covers why the user environment is the most consistently ignored variable in medical device development, and how that same gap shows up in cybersecurity risk assessments.

Also discussed: the $5,000 problem that gets rationalized today has a way of becoming the $500,000 crisis that cannot be ignored tomorrow, and what this argument actually looks like in practice.

Stephen also explains why CE marking proves you passed an audit and why FDA clearance does not mean the FDA approved your device.

Worth listening to if you are focused on medtech quality, regulatory, or cybersecurity.

Episode Breakdown:

1. 00:00 Opening quote
2. 00:47 Intro and guest background
3. 04:14 QA vs RA vs QC
4. 06:00 Cybersecurity in quality systems
5. 08:30 Risk as the foundation
6. 11:20 Ignoring clinicians and user environments
7. 13:00 ICU risk assessment example
8. 14:19 Startups and product market fit
9. 15:30 Key Opinion Leaders
10. 16:47 Companies hiring comfortable consultants
11. 18:30 $5,000 vs $500,000
12. 20:00 Why quality and cybersecurity are invisible
13. 22:00 What regulators actually review
14. 22:54 Self-signed certificates
15. 24:30 Cybersecurity speed vs regulation speed
16. 26:30 CE marking is not a quality guarantee
17. 27:00 Lost instructions for use
18. 28:40 Cleared vs approved
19. 29:45 Prevention is better than cure
20. 31:00 Final advice
21. 32:00 Racing analogy

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry.

Learn more by visiting https://bluegoatcyber.com

If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and Founder of Blue Goat Cyber.

Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Ten years ago, Singapore's healthcare system got hacked. Patient records were stolen at a national scale. The government responded by building one of the most comprehensive medical device security frameworks in the world.

The Cybersecurity Labeling Scheme has four tiers. Level one means basic security controls exist. Level four means the device underwent independent code review, has advanced threat detection, and maintains continuous vulnerability management. Hospitals can see exactly what level of security they're getting before they buy.

Jun Xiang from CareHero explains why this matters, especially now that AI is showing up in medical devices without proper testing. He covers adversarial attacks on medical images, why doctors are uploading patient data to ChatGPT, and what automation bias does to clinical decision making.

Practical conversation about medical device security in Southeast Asia and what manufacturers need to know about Singapore's approach.

Episode Breakdown:

00:01 Welcome

00:31 Background

01:09 Military service

03:09 AI threats

03:45 23% problem

04:40 X-rays ChatGPT

05:43 Attacks

08:15 Poisoning

11:30 Hallucinations

14:20 AI code

17:45 Vulnerabilities

20:30 Pair programming

23:15 Guardrails

26:40 Automation bias

28:50 AI scribes

31:20 Dialects

34:05 Pre-triage

36:32 Pricing

37:25 Pair programmer

37:40 Human interpretation

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry.

Learn more by visiting https://bluegoatcyber.com

If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and Founder of Blue Goat Cyber.

Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

SBOMs are one of the most common sources of FDA deficiencies in medical device submissions. Most companies think they're doing it right, but then they get feedback asking for missing components or clarification on what's included.

In this webinar, Christian Espinosa and Trevor Slattery explain what the FDA actually expects in an SBOM and why it's not just about listing third-party libraries. You need to include first-party code too. You need to follow the NTIA minimum elements. And you need to provide it in a machine-readable format like SPDX or CycloneDX.

Trevor walks through the history of SBOMs, from their origins in licensing compliance to their current role in medical device cybersecurity. He explains the shift-left approach the FDA wants to see and why transparency matters for healthcare delivery organizations making purchasing decisions.

The webinar also addresses a big concern people have. Does publishing an SBOM give attackers a roadmap to your system? Trevor breaks down why that's not actually a problem if you're managing your security properly.

If you're building a connected medical device or preparing for an FDA submission, this is a clear breakdown of how to get your SBOM right the first time.

Webinar Breakdown:

00:00 Welcome and introduction to SBOMs

00:44 What is an SBOM and why does it matter

03:10 The history of SBOMs: From licensing to cybersecurity

07:20 Why the FDA cares about SBOMs

11:30 The biggest mistake: Leaving out first-party code

15:45 NTIA minimum elements explained

19:20 Machine-readable formats: SPDX and CycloneDX

23:00 Real-world examples: Log4j and Shellshock

26:15 Do SBOMs give attackers a roadmap? The truth

29:40 Common myths about SBOMs

33:50 Key takeaways for FDA submissions

36:20 Q&A session begins

Blue Goat Cyber provides essential cybersecurity solutions for the medical device industry.Learn more by visiting https://bluegoatcyber.com.

If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and Founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Building medical device software is hard. Building it the right way is harder. And getting it through FDA approval while managing cybersecurity requirements? That's what Darcy Bachert has been doing for 17 years.

Darcy runs Prolucid Technologies, an ISO 13485-certified software development firm in Toronto. They work with medtech companies across North America, Europe, and Australia.

And in that time, he's seen the same mistakes repeatedly.

The biggest one? Founders build products that solve problems nobody has. Or they build something physicians won't adopt because it adds complexity instead of making their lives easier.

In this conversation, Darcy talks about IEC 62304 and why it matters when choosing a software partner. The Canadian medtech ecosystem and why Toronto is a major hub. And why quality systems and cybersecurity need to be built in from day one, not added at the end.

This episode is practical if you're building a medical device or working with medtech startups.

Episode Breakdown:

00:01 Welcome and intro

00:30 Darcy's background and Prolucid Technologies overview

01:15 The origin of the name Prolucid Technologies

01:58 Why clarity matters more than code

04:18 Common challenges beyond software development

06:11 Toronto's medtech ecosystem

06:57 IEC 62304 and choosing the right development partner

09:17 ISO 13485 certification and investor confidence

12:04 Realistic timelines for medical device software

15:32 Cost expectations and budget planning

18:45 Building quality systems from the start

21:20 Integrating cybersecurity throughout development

24:15 When and how to do penetration testing

27:30 Cybersecurity mistakes startups make

30:42 The MTI program and Canadian medtech resources

33:18 Canadian vs US medtech markets

36:22 Physician adoption challenges

40:18 Trevor: Don't invent your problem

41:36 Darcy: Find partners who've done it before

43:05 Christian: Balance user adoption with reimbursement

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry. Learn more by visiting https://bluegoatcyber.com.

If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Christian Espinosa is the CEO and Founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1