Top 10 Medical Device Vulnerabilities with Myles Kellerman

How safe are the medical devices I rely on, and what are the biggest cybersecurity risks I should know about?

In this episode, the team goes behind the scenes of real-world medical device penetration testing to reveal the 10 most common and dangerous cybersecurity vulnerabilities found in medical devices. The discussion covers practical examples, industry standards, and actionable advice for manufacturers and healthcare organizations.

Key points:

(0:00) Introduction & Penetration Testing Context

(1:29) Why Penetration Testing Matters in MedTech

(5:50) Top 10 Medical Device Vulnerabilities:

1. Hardcoded/Default Credentials – Default passwords, BIOS passwords, and supply chain issues.

2. Unsecured Communication Channels – Lack of encryption, outdated standards, key management, and device constraints.

3. Outdated/Vulnerable Third-Party Components – Software Bill of Materials (SBOM), continuous monitoring, and post-market risks.

4. Improper Access Control – Weak authentication, privilege escalation, and user data exposure.

5. Debug Interfaces Left Enabled – JTAG/UART ports, physical access, and mitigation strategies.

6. Missing/Weak Firmware Integrity Checks – Secure boot, code signing, and white-box testing.

7. Poor Session Management – Session timeouts and session hijacking.

8. Fuzzing Vulnerabilities (Buffer Overflows) – Fuzz testing, buffer overflows, and legacy devices.

9. Lack of Tamper Detection – Audit trails, tamper-evident stickers, and physical controls.

10. No Rate Limiting/Automation Controls – Brute-force attacks, automation, and rate limiting.

(37:26) Secure Product Development Frameworks, and DevSecOps.

(38:04) Regulatory Perspective.

The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com

If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session

Thanks to Myles Kellerman for being on the show. Connect with Myles on LinkedIn: https://www.linkedin.com/in/myles-kellerman-5763aa22

Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber.

Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/

Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9

Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/

Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/

Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/

Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber

Feedback? Questions? Contact: https://bluegoatcyber.com/contact/

Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/

Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial

The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast.

Subscribe via Spotify: https://open.spotify.com/show/5ol62ROdF6mBfwOFqKFHmh

Subscribe via Apple Podcasts: https://apple.co/483OJ9I

Subscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts