Securing Connected Medical Devices in Healthcare – Interview with Katie Young & Trevor Slattery
In this interview, Katie Young, Content Manager at Surgical Robotics Technology, speaks with Trevor Slattery, COO at Blue Goat Cyber, to discuss cybersecurity challenges in connected medical devices, practical steps hospitals can take to protect their systems, and how Blue Goat Cyber helps healthcare organizations manage risks effectively. Trevor also explains shared responsibilities between hospitals and device manufacturers and what’s next for Blue Goat Cyber in 2026.
The interview covers:
0:32 Could you please tell us a bit about yourself and your role at Blue Goat Cyber?
1:53 From your experience, how do connected medical devices and third-party integrations create cybersecurity risks for hospitals?
3:51 What practical actions can hospitals take to protect their connected medical devices?
7:19 How can Blue Goat Cyber help hospitals implement these protections effectively?
9:53 How can hospitals and device manufacturers share responsibility for patching, credentials, remote access, and vulnerability management?
12:32 What are some immediate actions hospitals or device makers can take to reduce cyber risks without major infrastructure changes, and how can Blue Goat support these efforts?
14:07 Looking ahead, what’s next for Blue Goat Cyber in 2026?
To learn more about Blue Goat Cyber here.
Video transcript:
00:00:11:10 – 00:00:16:02
Hello and welcome to Robotic Surgery Insights. I’m excited to be joined today by Trevor Slattery, chief operating officer at Blue Goat Cyber. Today, we’re going to be talking about tackling connectivity issues in hospitals and how manufacturers and healthcare providers can work together to manage the risks. Thank you for joining me today, Trevor.
00:00:29:10 – 00:00:31:23
Yeah. Thank you so much. Really looking forward to it.
00:00:32:01 – 00:00:37:12
So could you please begin by telling us a bit about yourself and your role at Blue Goat Cyber?
00:00:37:14 – 00:01:00:23
Definitely. So I’ve been with Blue Goat Cyber for about four years now. I handle a lot of the back end and the operations and the day to day, making sure that everything is running smoothly between sales and delivery. So a lot of the high level overview there. A little bit of background on myself. Before joining Blue Goat Cyber, I was studying cyber security at school in Arizona.
00:01:01:00 – 00:01:18:07
That’s where I met our current CEO, was in Arizona, down in Wickenburg while he was out rock climbing. So it was kind of a fun story how I ran into him out there. Other than that, very passionate about free diving. Still love rock climbing and the outdoors in general. Since moving to California, I’ve recently gotten into crab fishing as well.
00:01:18:07 – 00:01:44:08
So that’s my latest hobby. A little bit with Blue Goat Cyber, we are focused on de-risking submissions and making sure that Medtech innovators can get their product to market safely, securely, and quickly. So we want to try to remove some of the problems that the FDA might come back with. Currently, cyber security is the number one reason for medical devices to be rejected, and it is a major problem that can come up both within the device space and within public health as a whole.
00:01:44:08 – 00:01:51:19
So we’re trying to take away a little bit of that problem and help ease the burden and make sure that we’re getting products to market as quickly as possible.
00:01:51:21 – 00:02:02:03
Great story. And from your experience, how do connected medical devices and third party integrations create cybersecurity risks for hospitals?
00:02:02:04 – 00:02:22:11
There are a couple of main things to consider here, and one that I always like to talk about is actually the source for some of the modern cybersecurity regulations, which is WannaCry ransomware attack. This is a big ransomware attack back in 2017. It took out a lot of critical infrastructure, a lot of major systems and including healthcare infrastructure.
00:02:22:13 – 00:02:44:23
This spurred the FDA to start working towards the modern cybersecurity guidelines that we have now. And with a lot of global regulators falling in after that. What we tend to see as the big problems within medical devices is that they can act as an entry point for vulnerabilities, or they can be accidentally affected by certain threats that are present in a network.
00:02:45:01 – 00:03:14:10
We’ll go back to that ransomware example. Ransomware is going to target the weakest link in a network. It’s going to look for a very insecure product, and you don’t want that to be your medical device. Inversely, if there’s another problem within the network, if it’s another device, another computer, you don’t want your device to be affected downstream. It’s definitely a balanced hit since connected devices provide so much usability, so much functionality, a lot of remote management capabilities that wouldn’t otherwise be there.
00:03:14:12 – 00:03:38:22
But we need to understand that there’s a balance of risk there. It’s also very important to understand once we have these devices in a network, what else is in that network and how can they be affected? We want to make sure that we don’t have devices that are on the same network as, say, human resource computers, where there’s likely not going to be any need for any collaboration back and forth.
00:03:39:04 – 00:03:50:17
But unfortunately, it’s something that we see all the time, where there’s a problem that can be introduced from even a phishing attack against someone in the human resources team, and then it spreads all the way down to a critical surgical robotic.
00:03:50:19 – 00:03:56:22
Right. And what practical actions can hospitals take to protect their connected medical devices?
00:03:57:00 – 00:04:18:00
Well, there are a couple of things that we really want to see done here. And it is a shared burden. So ultimately, I’ll say peeling it back, even a step from the hospital, we have the regulators, the device manufacturers, and then of course, the hospitals as all sharing this responsibility. Regulators need to push the guidelines forward for what cybersecurity should be in these medical devices.
00:04:18:05 – 00:04:39:18
Device manufacturers need to adhere to the regulations and provide a reasonable amount of effort that these are safe products. And then the hospitals have a lot of control over how they’re using these products, since they’re the actual final customers and the end of the most cases. One thing that is very important is to understand what products you’re bringing in, have you conducted your due diligence to know this is a safe device?
00:04:40:00 – 00:05:10:17
You aren’t introducing any risk into your system by bringing this, and you know that it has proper cybersecurity testing. You see how it interoperates with other devices. And of course, every device is going to be unique. But understanding what the risk profile is for that device and then being fully informed of any risks that you’re taking on. The next thing that is really helpful for healthcare delivery organizations or hospitals to do is to effectively have a plan to inventory, triage, act, and then repeat this process as needed.
00:05:10:19 – 00:05:36:14
So when we’re talking about inventory, believe it or not, a lot of hospitals and a lot of other enterprise networks or companies don’t even know what’s on their network. They don’t know how many devices they have, they don’t know how many computers. They don’t know who’s bringing their own laptops, their own phones, different things like this. This is our starting point, and this is what we want to do, is identify all of the different components that we have in this network, all of the different devices, tools, computers, whatever it might be.
00:05:36:16 – 00:05:55:19
Once we have a good understanding of what we have here, then it’s a good time to understand how we can triage it, how we can properly segment things. I know I was alluding a little bit earlier to a surgical robot shouldn’t be on the same network as, say, a human resource laptop. We want to try to break things apart by their appropriate use case.
00:05:55:20 – 00:06:13:15
What makes the most sense to talk to each other, and make sure that we can’t leave these separate networks. So as we’re breaking things out in a risk based approach to make sure that we have these little, I guess, risk based networks within the environment, that’s going to allow us to have a good understanding of what we can do about it.
00:06:13:17 – 00:06:35:09
It may be the case that certain levels of risk can be fixed with network controls. So we can try to make some changes to the configurations within other computers or within the environment as a whole, to try to ease the burden of risk from a single device that may have a potential problem. There might be some changes that we can make to the device itself that we identify throughout this process, whatever it might be.
00:06:35:15 – 00:06:52:19
We’re going to have a couple of steps forward, and we very clearly know where to apply them based on the highest risk moving down from there. Once we have a framework like this in place, it’s pretty easy to keep it applied and make sure that we’re going through the same process repeatedly. When we’re going back to the inventory.
00:06:52:20 – 00:07:15:21
There are a lot of great automated tools that can help us track different assets. We can know it as a process when we’re bringing in new devices. Now to add it to this master inventory and then make sure that we’re doing this triage at certain set intervals to make sure that nothing is slipping through the cracks. We really want to see this implemented as an initial framework, and then carried through throughout the life of the products and throughout the life of the health care delivery organization.
00:07:15:23 – 00:07:24:03
Excellent. Some really great insights there. So how can Blue Goat Cyber help hospitals implement these protections effectively?
00:07:24:05 – 00:07:46:02
There are a couple of different ways that Blue Goat Cyber can help with health care delivery organizations or hospitals to implement some of these controls. Starting with the inventory process. This is a great exercise not only to identify what devices may be in your network, but as well identify what maybe shouldn’t be in your network, or if there’s something missing that you might want to see in your network.
00:07:46:04 – 00:08:09:11
That’s a process that we can assist through implementing one time active scanning methods to really try to pin down exactly what’s out there in the network, what we can identify, what’s going to respond, as well as implementing frameworks for passive methods. These are going to be a little bit less intensive, a bit more of a reliable, ongoing solution, and won’t have as much, I guess, impact within the network as time goes on.
00:08:09:13 – 00:08:40:06
Moving into the triage and the action, this is where we really shine with our expertise. For the tree house process, we have experience with a wide range of different products and different devices, and this experience allows us to accurately map risk to unique products. No two devices are going to have the same risk profile and so our understanding will allow us to carefully create a plan, understand what these big ticket items are that require the most attention, understand what might be a little bit less of a priority, and understand what might be okay in its current state.
00:08:40:08 – 00:09:07:07
Once we have identified any of these problem points and created a plan, now it’s time for us to act on that plan. We can go through any of these network controls. I know I alluded a little bit to it earlier, but it may be the case that we can implement some monitoring tools within the network itself, identify attackers before they’re able to strike against these devices, or we might be able to restrict access to certain areas in a way that’s going to make it very difficult for an attacker to move into these private networks.
00:09:07:09 – 00:09:29:20
We can also do this at the device level. We work with a lot of manufacturers to make sure that their products are secure, safe and compliant. Even if you already have a device that you’ve taken in 5 or 10 years ago considered a legacy device. We can work with you as a healthcare delivery organization to implement some additional controls, or maybe even some monitoring around the device to make sure that we have a safe and effective solution.
00:09:29:22 – 00:09:53:15
It can be a little bit of a different process taking in older products, as opposed to ones with the modern cybersecurity guidance. And I know it is a constant struggle that both device manufacturers, regulators and health care delivery organizations are trying to navigate. But we can try to streamline that process and make sure that we’re bringing even some of the older legacy devices up to modern levels of compliance and security within your network.
00:09:53:17 – 00:10:02:07
And how can hospitals and device manufacturers share responsibility for patching credentials, remote access and from vulnerability management?
00:10:02:09 – 00:10:25:06
This is definitely an area where there is a shared burden of responsibility between the device manufacturers and the hospitals. Device manufacturers are going to be responsible for configuring these devices and designing these devices with security in mind. We always try to speak to security as being the first step that you should implement when you’re designing these products. It’s not something you can wait until the very end here.
00:10:25:08 – 00:10:51:00
If we have things such as remote patching, remote access, this is great. This is expanding the functionality, making a very useful product. The regulators actually encourage us to have remote patch management to be able to address vulnerabilities. Once they’re out in the field, but there is a level of risk that can be introduced through having these functionalities or abuse cases where someone takes an intended use case and uses it for malicious purposes.
00:10:51:02 – 00:11:16:03
Another important thing to consider is that device manufacturers are building these products to be controlled or governed by the hospitals to some extent, once they have been turned over. It’s very important to understand what information is leaving this product, what information is entering this product, what data format? How is it stored? How is it encrypted? All of this is going to be very important to hospital ITs to integrate it into an existing workflow.
00:11:16:04 – 00:11:45:06
One thing that can be very disruptive for health care delivery organizations is a product that they’re taking in that breaks the doctors or the nurses or whoever’s using the product out of their typical workflow. We want to try to make that as seamless as possible, by giving the hospitals enough information to properly govern these products, moving into what the hospitals can do to address security on their side, they effectively have to verify that device manufacturers are doing what they say they’re doing here.
00:11:45:08 – 00:12:12:03
We want to be sure that we have sufficient documentation around interoperability, sufficient labelling controls to know exactly how to govern these products, where they can be used effectively, how they can be used effectively, and most importantly, how they can be used securely. It’s also very important for these health care delivery organizations to request any security testing or security documentation that is going to help them make an informed decision about the risk of using that product.
00:12:12:05 – 00:12:32:07
There’s always going to be some level of risk in a device or in a network. The goal is to try to minimize that as much as possible, and the device manufacturers are going to be responsible for the actual controls. While the health care delivery organizations are often going to be responsible for verifying these controls are in place and verifying that they won’t introduce risk at the network level.
00:12:32:09 – 00:12:43:01
What are some of the immediate actions hospitals and device makers can take to reduce cyber risk without major infrastructure changes? And how can Blue Goat support these efforts?
00:12:43:02 – 00:13:02:12
One of the easiest things that you can do as an initial exercise is to go through some threat modelling. This is going to be a hypothetical exercise to say what could go wrong in our network. And oftentimes we’ll see even mature networks that have been around for a while haven’t had this done for five plus years, or maybe haven’t had it done at all.
00:13:02:14 – 00:13:24:14
The same is going to apply to device manufacturers. And I was mentioning a little bit as well about we need to have security covered early in these systems. If you haven’t addressed security up to this point, that’s okay. But now is the time to start. So addressing things proactively through some of these hypothetical exercises to understand what could go wrong in your system. As the next step.
00:13:24:20 – 00:13:45:20
You want to verify what actually is wrong within that system. So without proper testing, without proper verification of these problems, you won’t know what your biggest priority points are. It’s very hard to provide a prescriptive one size fits all solution, since every network, every product is going to be unique. But ultimately, a great first step is to start by testing against that network.
00:13:45:21 – 00:14:06:03
This can be through automated vulnerability scans, through a penetration test against your product, but something to identify what risks are present in your systems, and that will give you a good understanding of how to triage the vulnerabilities that are identified. What are going to be your most important items? What might be a little bit less important, and what you might not need to fix at all?
00:14:06:05 – 00:14:14:16
Excellent. And my final question for today, looking ahead, what is next for Blue Goat Cyber in 2026?
00:14:14:18 – 00:14:32:01
We’re in a really exciting phase right now, Blue Goat Cyber, and we’re making a lot of moves to try to expand our presence into some international markets. We have a very strong presence here in the United States, but we want to make sure that our mission to protect medical devices and ultimately protect the patients is expanding globally as well.
00:14:32:03 – 00:14:45:17
We are currently expanding our efforts in Europe through the UK and then through Southeast Asia through Singapore, with teams that we’re developing in both of those locations. So I would say the biggest change that we’re expecting to see is a little bit more of a wide footprint.
00:14:45:19 – 00:14:50:04
Excellent. Thank you very much for your time today, Trevor. It’s been great speaking with you.
00:14:50:05 – 00:14:51:22
Thank you so much. It was a great time.
