May 10, 2025 • 9 mins
As health care advances, our medical devices have to evolve to keep up, which means they have to be connected to networks and the wider internet in ways they never were before. Unfortunately, that also means they're prime targets for hackers who want to steal your information and cause chaos. The recent "Device Talks Boston" conference focused, in part, on how the industry needs to catch up and put stronger security in place for our medical devices. Trevor Slattery, Chief Technology Officer at Blue Goat Cyber in Scottsdale, Arizona attended the conference, and stepped away to talk with Nichole about solutions for this problem.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:07):
From WBZ News Radio in Boston. This is New England Weekend.
Each and every week right here, we come together and
talk about all the topics important to you and the
place where you live. Great to be back with you
again this weekend. I'm Nicole Davis. As American healthcare advances
more and more, you can imagine the devices we use
have to get smarter to keep up. That means they
(00:28):
have to be connected in ways we've never seen. It
also means, unfortunately, they're a prime target for hackers. Last week,
the Device Talks Boston conference brought people from all over
the world right here to the Hub, and while they
were here, they talked about how to make sure medical
devices like pacemakers and insulin pumps can be protected from
threats from hackers. Trevor Slattery is one of the people
(00:48):
who came to town. He is from Blue Goat Cyber
in Scottsdale, Arizona. He is here now to talk with
us about all we need to know. So Trevor, it
is great to have you on the show. I honestly
must admit here that medical devices are not the first
things I think of when it comes not just to hackers,
but also to cybersecurity in general.
Speaker 2 (01:07):
Of course.
Speaker 3 (01:07):
So the first thing I'll say is you're definitely not
alone and not having cybersecurity to jump to the front
of your mind and you're thinking about medical devices. People
usually think, you know, finance or like sensitive data, government information,
things like that, but cybersecurity is extremely important with medical devices.
The medical sector undergoes around eighty nine percent of medical
(01:31):
centers and medical care facilities receive at least one cybersecurity
attack per week. Wow, So it is under massive pressure
from hackers trying to get sensitive information, trying to potentially
harm patients, and in the lens of a medical device,
if that device is insecure, that can be just the
you know, the chip in the armor that the hackers
(01:51):
looking for to try to get through into that network
and potentially you know, steal patient records or freeze up
a hospital. You know, there have been instances where United
Healthcare systems have been breached by a ransomware event and
it essentially shut down healthcare in a lot of different
hospitals because they weren't able to build anything to insurance,
so they weren't able to authorize procedures.
Speaker 1 (02:10):
Where are these threats coming from? I guess that's the
question because you think about hackers and here and there,
but do we know exactly you know, are these hacking
gangs like you hear about in Russia and China? Is
this in house so to speak, here in the United States?
Where are these threats coming from?
Speaker 2 (02:24):
They can really be from all over the place.
Speaker 3 (02:26):
So on the threat intelligence side of things, obviously, you know,
the main suspects are very common when we're looking at
hacking attempts, a lot of things coming out of China, Vietnam, Russia,
places like that, but plenty coming in from Europe, coming
in from Mexico, coming in from America and Canada.
Speaker 2 (02:42):
So there it's really not tied to a single region.
Speaker 3 (02:45):
Definitely a little bit more on you know, the usual
suspects a bit more so than the America. You're going
to see more hackers from China than from Spain. It's
just kind of the way it is, totally. But you
really are coming in from all over the place. So
it's a bit of a global problem.
Speaker 1 (03:00):
Where do you think the medical device community are dropping
the ball when it comes to securing these devices? And
how do you change that?
Speaker 3 (03:08):
So I think there are two big problems that we're
seeing just as the greater medical community. And the first
one is lack of awareness. A lot of manufacturers and
innovators aren't aware that this is such a big problem
from their own personal perspective. As the manufacturer. Selfishly, you
want to protect your investment, you want to get through
regulatory approval process. You don't want to get held up
(03:29):
by the FDA for a year because of cybersecurity problems.
So it's something you want to cover from the get go.
And then of course in the global community of cybersecurity
of healthcare, having secure devices is crucial for all the
reasons that we've gone into.
Speaker 2 (03:44):
But I think the biggest issue is just awareness.
Speaker 3 (03:46):
A lot of times when I'm talking to like a
medtech innovator and saying, how have you thought about your cybersecurity?
The first answer right here is I haven't. When am
I supposed to think about that?
Speaker 2 (03:55):
Right?
Speaker 3 (03:55):
And the answer is, well, the best time was yesterday,
The second best time is today.
Speaker 1 (04:00):
These companies do to put better systems in place, like
right away, should they hire a company like yours, Should
they do some research, should they go out and all
get some aplus certifications or whatever?
Speaker 3 (04:11):
Like?
Speaker 1 (04:11):
How should they go about doing all this well.
Speaker 3 (04:13):
Unfortunately, cybersecurity for medical devices is not a narrow topic.
It's a mile wide and a mile deep, so it's
always going to start in house. The innovators need to
be aware of what regulations they need to meet and
how they need to meet them. So if they aren't
aware of cybersecurity as a problem, of course they're not
going to do anything to try to amplify their cybersecurity
posture once they're aware. The FDA stands on this is
(04:34):
security by design is the way you should build a
medical device instead of bolting security on after the fact.
So medical device manufacturers need to make every decision with
security in mind. And then the company like us helps
with the regulatory and testing process. So you know, there's
only so much that you can do in house. You
have to outsource your testing to a secure, approved third
(04:56):
party testing laboratory such as ourselves. And we also have
that added of handling all of the regulatory side of things,
with that pesky regulatory documentation that everyone hates having to write.
Speaker 1 (05:06):
Tell me a little bit about Greg Garcia, and I
know that he has gone to Congress. He's been a
big proponent of more protections in the cybersecurity space. Give
me a little bit of information on him and what
he's done.
Speaker 3 (05:17):
Yeah, so he's bringing up he's doing exactly what I
think is really needed in the industry right now, which
trying to bring awareness forward under trying to get manufacturers,
innovators to know this is a big problem, and bringing
it up in front of Congress. This is a big
problem and it can definitely get a lot worse. So
his stance is that we're way far behind on cybersecurity,
something I completely agree with, and one key issue that
(05:40):
I think he's trying to emphasize right now. There are
regulations in place, so if an innovator is creating a
new product, you have to follow new guidelines. But there
are hundreds of thousands, if now millions of devices out
there which were released under old guidelines with cybersecurity not
really covered very well. And so what do we do
out all of those device how do we round them up?
(06:02):
How do we try to retrofit security onto the new product,
even though the FDA states that it's really hard to
do that and you should build it right the first time.
So it's a very difficult problem, which I think the
community as a whole is trying to scramble to solve,
but just bringing it up as an important area of
conversation and spreading awareness, I think is a great first step.
Speaker 1 (06:21):
There's a lot of struggle right now in the healthcare
community with funding and a lot of hospitals are struggling
just to get everything up to date, and they're still
struggling to keep people on the payroll. How are you
supposed to as a medical group I suppose, or just
a hospital or a doctor's office. If you look at
all your medical devices and you realize, my goodness, I
probably should update all these. That can be kind of costly,
(06:43):
can't it.
Speaker 2 (06:44):
It can, But.
Speaker 3 (06:45):
I'll tell you what can be more costly, and that's
getting hacked. The liability that you're exposed to, as well
as the damage and lawsigal experience if you are the
victim of a hack is going to be massive compared
to the upkeep that you have to take now. A
lot of you're right, a lot of hospitals, a lot
of manufacturers are say well years behind on this. It's
going to be a massive effort to get caught up
(07:06):
to speed. And that's a fair point. It will take
a fair amount of work to make sure that everything
gets to a good baseline. But staying at that baseline
is not as hard as I think people think it is.
It doesn't take quite as much effort. Once you get
to a secure standard, then you're able to maintain that
secure standard. It's just getting there, which is important. That's
why we typically try to say, start with cybersecurity, so
(07:26):
you're building that secure standard and so then it's just
regular upkeep instead of having to build everything from the
ground up.
Speaker 1 (07:32):
Do you find that collectively the industry is finally kind
of getting on board because you know, as you're saying,
you've been screaming this from the rooftops, right and so
now finally do you see that people are getting it
at this point?
Speaker 2 (07:43):
Slowly, very slowly. It's something that we're starting to see.
Speaker 3 (07:46):
If I look at, you know, a pitch deck for
a startup once in a while, I'll see cybersecurity in
the roadmap now. And so we're seeing that these medtech
innovators are starting to think about it. I think it's
a little bit more at the front of mind on
like the hospital acquisition side. Hospitals have been the victims
of cybersecurity attacks for a very long time. They're starting
to figure it out, and so when they're buying a device,
(08:08):
they're very conscious of what they're buying. There are all
sorts of regulations and laws mandating all sorts of security
requirements in hospitals.
Speaker 2 (08:15):
I think in the.
Speaker 3 (08:15):
Medical device side of things, it's a little bit more new,
and so it'll take some time to get caught up,
but I think that we're slowly getting there.
Speaker 1 (08:23):
Tell me a bit about this conference and what Blueboat
Cyber is doing here.
Speaker 3 (08:27):
Yeah, so this conference Device Talks is fantastic event. It's
a lot of manufacturers, like contract manufacturers, as well as
medtech innovators, venture capitalists, really anyone in this medical device
space coming out to Boston to share ideas, try to
make connections, try to meet, you know, other companies that
can help them out. What we're doing is, you know,
(08:47):
trying exactly the same as everyone else. We're trying to
form these connections and these partnerships. We're trying to identify
any manufacturers that may be in need of our services
and see if we can help expedite their process getting
through the FPA. Cybersecurity should be done early and often
it's not something that we can leave to the last minute,
and if you do it early and often, it's not
going to be as hard and it's not going to
be as expensive as everyone thinks it is.
Speaker 1 (09:08):
You're here all right, Well, I appreciate your time. Thank
you so much for coming on and talking with me
about this.
Speaker 2 (09:13):
Yeah, thank you so much.
Speaker 1 (09:14):
Nachall have a safe and healthy weekend. Please join me
again next week for another edition of the show. I'm
Nicole Davis from WBZ News Radio on iHeartRadio.
From WBZ News Radio in Boston. This is New England Weekend.
Each and every week right here, we come together and
talk about all the topics important to you and the
place where you live. Great to be back with you
again this weekend. I'm Nicole Davis. As American healthcare advances
more and more, you can imagine the devices we use
have to get smarter to keep up. That means they
(00:28):
have to be connected in ways we've never seen. It
also means, unfortunately, they're a prime target for hackers. Last week,
the Device Talks Boston conference brought people from all over
the world right here to the Hub, and while they
were here, they talked about how to make sure medical
devices like pacemakers and insulin pumps can be protected from
threats from hackers. Trevor Slattery is one of the people
(00:48):
who came to town. He is from Blue Goat Cyber
in Scottsdale, Arizona. He is here now to talk with
us about all we need to know. So Trevor, it
is great to have you on the show. I honestly
must admit here that medical devices are not the first
things I think of when it comes not just to hackers,
but also to cybersecurity in general.
Speaker 2 (01:07):
Of course.
Speaker 3 (01:07):
So the first thing I'll say is you're definitely not
alone and not having cybersecurity to jump to the front
of your mind and you're thinking about medical devices. People
usually think, you know, finance or like sensitive data, government information,
things like that, but cybersecurity is extremely important with medical devices.
The medical sector undergoes around eighty nine percent of medical
(01:31):
centers and medical care facilities receive at least one cybersecurity
attack per week. Wow, So it is under massive pressure
from hackers trying to get sensitive information, trying to potentially
harm patients, and in the lens of a medical device,
if that device is insecure, that can be just the
you know, the chip in the armor that the hackers
(01:51):
looking for to try to get through into that network
and potentially you know, steal patient records or freeze up
a hospital. You know, there have been instances where United
Healthcare systems have been breached by a ransomware event and
it essentially shut down healthcare in a lot of different
hospitals because they weren't able to build anything to insurance,
so they weren't able to authorize procedures.
Speaker 1 (02:10):
Where are these threats coming from? I guess that's the
question because you think about hackers and here and there,
but do we know exactly you know, are these hacking
gangs like you hear about in Russia and China? Is
this in house so to speak, here in the United States?
Where are these threats coming from?
Speaker 2 (02:24):
They can really be from all over the place.
Speaker 3 (02:26):
So on the threat intelligence side of things, obviously, you know,
the main suspects are very common when we're looking at
hacking attempts, a lot of things coming out of China, Vietnam, Russia,
places like that, but plenty coming in from Europe, coming
in from Mexico, coming in from America and Canada.
Speaker 2 (02:42):
So there it's really not tied to a single region.
Speaker 3 (02:45):
Definitely a little bit more on you know, the usual
suspects a bit more so than the America. You're going
to see more hackers from China than from Spain. It's
just kind of the way it is, totally. But you
really are coming in from all over the place. So
it's a bit of a global problem.
Speaker 1 (03:00):
Where do you think the medical device community are dropping
the ball when it comes to securing these devices? And
how do you change that?
Speaker 3 (03:08):
So I think there are two big problems that we're
seeing just as the greater medical community. And the first
one is lack of awareness. A lot of manufacturers and
innovators aren't aware that this is such a big problem
from their own personal perspective. As the manufacturer. Selfishly, you
want to protect your investment, you want to get through
regulatory approval process. You don't want to get held up
(03:29):
by the FDA for a year because of cybersecurity problems.
So it's something you want to cover from the get go.
And then of course in the global community of cybersecurity
of healthcare, having secure devices is crucial for all the
reasons that we've gone into.
Speaker 2 (03:44):
But I think the biggest issue is just awareness.
Speaker 3 (03:46):
A lot of times when I'm talking to like a
medtech innovator and saying, how have you thought about your cybersecurity?
The first answer right here is I haven't. When am
I supposed to think about that?
Speaker 2 (03:55):
Right?
Speaker 3 (03:55):
And the answer is, well, the best time was yesterday,
The second best time is today.
Speaker 1 (04:00):
These companies do to put better systems in place, like
right away, should they hire a company like yours, Should
they do some research, should they go out and all
get some aplus certifications or whatever?
Speaker 3 (04:11):
Like?
Speaker 1 (04:11):
How should they go about doing all this well.
Speaker 3 (04:13):
Unfortunately, cybersecurity for medical devices is not a narrow topic.
It's a mile wide and a mile deep, so it's
always going to start in house. The innovators need to
be aware of what regulations they need to meet and
how they need to meet them. So if they aren't
aware of cybersecurity as a problem, of course they're not
going to do anything to try to amplify their cybersecurity
posture once they're aware. The FDA stands on this is
(04:34):
security by design is the way you should build a
medical device instead of bolting security on after the fact.
So medical device manufacturers need to make every decision with
security in mind. And then the company like us helps
with the regulatory and testing process. So you know, there's
only so much that you can do in house. You
have to outsource your testing to a secure, approved third
(04:56):
party testing laboratory such as ourselves. And we also have
that added of handling all of the regulatory side of things,
with that pesky regulatory documentation that everyone hates having to write.
Speaker 1 (05:06):
Tell me a little bit about Greg Garcia, and I
know that he has gone to Congress. He's been a
big proponent of more protections in the cybersecurity space. Give
me a little bit of information on him and what
he's done.
Speaker 3 (05:17):
Yeah, so he's bringing up he's doing exactly what I
think is really needed in the industry right now, which
trying to bring awareness forward under trying to get manufacturers,
innovators to know this is a big problem, and bringing
it up in front of Congress. This is a big
problem and it can definitely get a lot worse. So
his stance is that we're way far behind on cybersecurity,
something I completely agree with, and one key issue that
(05:40):
I think he's trying to emphasize right now. There are
regulations in place, so if an innovator is creating a
new product, you have to follow new guidelines. But there
are hundreds of thousands, if now millions of devices out
there which were released under old guidelines with cybersecurity not
really covered very well. And so what do we do
out all of those device how do we round them up?
(06:02):
How do we try to retrofit security onto the new product,
even though the FDA states that it's really hard to
do that and you should build it right the first time.
So it's a very difficult problem, which I think the
community as a whole is trying to scramble to solve,
but just bringing it up as an important area of
conversation and spreading awareness, I think is a great first step.
Speaker 1 (06:21):
There's a lot of struggle right now in the healthcare
community with funding and a lot of hospitals are struggling
just to get everything up to date, and they're still
struggling to keep people on the payroll. How are you
supposed to as a medical group I suppose, or just
a hospital or a doctor's office. If you look at
all your medical devices and you realize, my goodness, I
probably should update all these. That can be kind of costly,
(06:43):
can't it.
Speaker 2 (06:44):
It can, But.
Speaker 3 (06:45):
I'll tell you what can be more costly, and that's
getting hacked. The liability that you're exposed to, as well
as the damage and lawsigal experience if you are the
victim of a hack is going to be massive compared
to the upkeep that you have to take now. A
lot of you're right, a lot of hospitals, a lot
of manufacturers are say well years behind on this. It's
going to be a massive effort to get caught up
(07:06):
to speed. And that's a fair point. It will take
a fair amount of work to make sure that everything
gets to a good baseline. But staying at that baseline
is not as hard as I think people think it is.
It doesn't take quite as much effort. Once you get
to a secure standard, then you're able to maintain that
secure standard. It's just getting there, which is important. That's
why we typically try to say, start with cybersecurity, so
(07:26):
you're building that secure standard and so then it's just
regular upkeep instead of having to build everything from the
ground up.
Speaker 1 (07:32):
Do you find that collectively the industry is finally kind
of getting on board because you know, as you're saying,
you've been screaming this from the rooftops, right and so
now finally do you see that people are getting it
at this point?
Speaker 2 (07:43):
Slowly, very slowly. It's something that we're starting to see.
Speaker 3 (07:46):
If I look at, you know, a pitch deck for
a startup once in a while, I'll see cybersecurity in
the roadmap now. And so we're seeing that these medtech
innovators are starting to think about it. I think it's
a little bit more at the front of mind on
like the hospital acquisition side. Hospitals have been the victims
of cybersecurity attacks for a very long time. They're starting
to figure it out, and so when they're buying a device,
(08:08):
they're very conscious of what they're buying. There are all
sorts of regulations and laws mandating all sorts of security
requirements in hospitals.
Speaker 2 (08:15):
I think in the.
Speaker 3 (08:15):
Medical device side of things, it's a little bit more new,
and so it'll take some time to get caught up,
but I think that we're slowly getting there.
Speaker 1 (08:23):
Tell me a bit about this conference and what Blueboat
Cyber is doing here.
Speaker 3 (08:27):
Yeah, so this conference Device Talks is fantastic event. It's
a lot of manufacturers, like contract manufacturers, as well as
medtech innovators, venture capitalists, really anyone in this medical device
space coming out to Boston to share ideas, try to
make connections, try to meet, you know, other companies that
can help them out. What we're doing is, you know,
(08:47):
trying exactly the same as everyone else. We're trying to
form these connections and these partnerships. We're trying to identify
any manufacturers that may be in need of our services
and see if we can help expedite their process getting
through the FPA. Cybersecurity should be done early and often
it's not something that we can leave to the last minute,
and if you do it early and often, it's not
going to be as hard and it's not going to
be as expensive as everyone thinks it is.
Speaker 1 (09:08):
You're here all right, Well, I appreciate your time. Thank
you so much for coming on and talking with me
about this.
Speaker 2 (09:13):
Yeah, thank you so much.
Speaker 1 (09:14):
Nachall have a safe and healthy weekend. Please join me
again next week for another edition of the show. I'm
Nicole Davis from WBZ News Radio on iHeartRadio.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.