Christian Espinosa, founder of Blue Goat Cyber and leading voice in medical device cybersecurity, joins Etienne Nichols to unpack the urgent and often misunderstood topic of cybersecurity in MedTech. From FDA’s 2023 regulatory overhaul to real-world hacking scenarios that could harm patients, Christian provides practical advice for innovators, RA/QA professionals, and software teams. He also shares why waiting until the last minute on cybersecurity could cost startups millions—or even kill a project entirely.

Whether you're a quality professional trying to build compliant systems or an innovator racing toward FDA submission, this episode lays out exactly what you need to know to stay ahead of cyber threats and within regulatory guardrails.

Key Timestamps:

• 00:01 – Intro to guest Christian Espinosa and Blue Goat Cyber
• 06:28 – Why medical device cybersecurity is different from traditional IT security
• 11:49 – Real-world hacking example: acne laser device turned skin-burner
• 13:57 – FDA expectations post-September 2023: what changed
• 17:12 – Secure boot: a microcontroller mistake that derailed a launch
• 20:35 – Common cybersecurity vendor mistake MedTech companies make
• 23:40 – SBOM: Software Bill of Materials and why it's legally critical
• 27:58 – Cyberattacks in hospitals: assuming a hostile network
• 35:44 – AI in medical devices: data bias and cybersecurity challenges
• 41:10 – Developers ≠ cybersecurity experts: the training gap nobody talks about
• 45:20 – What RA/QA professionals need to know now
• 49:30 – Why cybersecurity must be iterative, not a final-phase add-on
• 55:20 – Espinosa's final advice for MedTech professionals
• 57:52 – The story behind “Blue Goat Cyber”

Standout Quotes:

Top Takeaways:

1. Cybersecurity isn’t just about data—it's about patient safety. From burning skin to missed sepsis diagnoses, vulnerabilities in devices have real-world harm potential.
2. FDA now requires more than just a basic security plan. Post-September 2023 rules mandate testing (SAST, DAST, fuzzing), SBOMs, and risk assessments tied to patient harm.
3. Start cybersecurity planning during the requirements phase. Hardware like microcontrollers must support secure boot and other protections—retrofits can cripple product plans.
4. Iterate cybersecurity like any core development activity. One-time testing near submission is too late; build security into your pipeline just like QA or usability.
5. Traditional cybersecurity vendors aren’t enough. Many fail to meet FDA’s nuanced expectations for medical devices, causing costly submission rejections.

References & Resources:

• Christian Espinosa on LinkedIn
• Blue Goat Cyber
• Etienne Nichols on LinkedIn

MedTech 101 – Understanding SBOM (Software Bill of...

In part 2 of a critical two-part series, Etienne Nichols and regulatory affairs expert Mike Drues explore the nuanced pathway of switching a medical device from prescription (Rx) to over-the-counter (OTC).

This episode dives deep into what triggers a new submission, how usability testing and human factors play an expanded role for lay users, and the regulatory logic that guides these transitions. The conversation highlights the importance of aligning regulatory strategy with business goals, and offers practical insights on leveraging real-world evidence, understanding the limits of FDA databases, and optimizing pre-submission meetings.

• 02:10 – Starting from a cleared 510(k): Do you need a new submission for OTC?
• 06:45 – Implications of removing the healthcare provider from the equation
• 12:00 – Risk management: Expanding risk profiles when lay users are involved
• 18:15 – When a 510(k) becomes a De Novo or PMA
• 22:50 – Usability testing and the risk of user error in OTC devices
• 31:20 – Clinical investigations and good clinical practices (GCPs)
• 36:00 – Real-world evidence vs. real-world data—what’s usable?
• 41:30 – Using Pre-Subs effectively and what “quality data” really means
• 47:10 – Labeling, cleaning, and UDI for OTC products
• 53:40 – OTC software and digital health—when is it a regulated device?
• 01:00:00 – Summary: Aligning regulatory logic with common sense and business strategy

“With an OTC device, we are taking the healthcare professional totally, completely, and utterly out of the loop.”

– Mike Drues

This quote encapsulates the core regulatory challenge in moving a device to OTC: every element, from labeling to usability, must assume zero clinical supervision.

“If the clinical trial won’t tell you anything you don’t already know from good real-world evidence, why spend the time and money?”

– Mike Drues

A powerful argument for using well-documented real-world evidence over unnecessary trials—provided the data truly meets evidentiary standards.

1. Label Expansion ≠ Shortcut: Moving from prescription to OTC usually requires a new submission—especially when removing the healthcare provider introduces new risks.
2. Usability Testing Is Critical: OTC usability studies must go beyond IFU comprehension to include risk of misuse, poor device selection, and user decision-making.
3. Real-World Evidence Can Help—If It’s Clean: Real-world data isn’t always usable. FDA will expect reproducibility, traceability, and strong justifications.
4. Labeling & Design Must Assume No Clinical Oversight: Cleaning procedures, warnings, and directions must all be validated for home use and layperson comprehension.
5. Use Pre-Subs Wisely: Especially for label expansions or gray-area digital health tools, pre-subs provide critical alignment with FDA and prevent costly errors.

• Etienne Nichols on LinkedIn
• FDA Guidance on Real-World Evidence for Regulatory Decision-Making
• Greenlight Guru Webinar: What is and Isn't a Regulated Medical Device (feat. Mike Drues)
• FDA Guidance: Clinical Decision Support Software

Analogy: Think of prescription vs. OTC devices like driving a manual vs. automatic car. Prescription devices assume a trained “driver” (the healthcare provider), while OTC devices must be intuitive and safe enough for anyone to “drive”...

In Part 1 of this two-part series, Etienne Nichols sits down with regulatory strategist Dr. Mike Drues to explore the nuanced differences between prescription (Rx) and over-the-counter (OTC) medical devices. They demystify key terms, regulatory classifications, and the growing trend of label expansions from Rx to OTC—highlighting real-world examples like CPAP machines and continuous glucose monitors (CGMs).

This episode unpacks how intended users, environments, and risk tolerances shape device categorization, and why usability testing is far more complex than many realize. Whether you're developing a consumer health product or preparing a label expansion strategy, this is a must-listen for your regulatory roadmap.

• [03:05] – What defines an OTC vs. prescription medical device?
• [06:45] – Market size of OTC devices and major product categories
• 10:00 – Label expansion: moving from Rx to OTC status
• 13:22 – The role of intended use environment in OTC classifications
• 20:40 – Examples of devices in each FDA class that are OTC
• 26:30 – Prescription devices used in home settings vs. true OTC
• 31:15 – Characteristics that qualify devices for OTC status
• 37:55 – Self-diagnosis, self-selection, and patient usability challenges
• 43:00 – “Reasonably foreseeable misuse” and how to interpret guidance
• 49:05 – Do you design for the lowest common denominator?
• 56:10 – Representing diverse user populations in usability testing
• 1:01:45 – Can a device launch OTC first? The case for wellness-to-Rx strategies
• 1:08:15 – FDA’s perspective on device safety: OTC vs. Rx

“The best regulatory professionals don’t just know the rules—they know the exceptions.”

Dr. Mike Drues reminds us that exceptional regulatory strategy lies in understanding nuance, especially in OTC classifications where edge cases can redefine categories.

“Just because a device is used at home doesn’t mean it’s over the counter.”

This insight challenges a common industry assumption, underscoring the importance of carefully defining intended use and environment early in development.

1. OTC ≠ Low Risk by Default – Many Class II and even rare Class III devices can be OTC; it’s more about intended user, use environment, and risk mitigation than class alone.
2. Label Expansion Requires Strategy – Transitioning a device from prescription to OTC isn’t just about removing a doctor’s role—it may involve new usability studies, labeling changes, and potentially a 510(k) or de novo submission.
3. Understand the "Intended Use Environment" – FDA doesn’t just care about where the device is used, but how those environmental parameters (like light, humidity, and user training) affect safe operation.
4. Usability Testing Must Reflect Real Users – For OTC devices, human factors validation must account for diverse educational backgrounds, not just ideal users.
5. Don't Rely on Labels Alone – Whether or not users read (or understand) instructions must be tested, not assumed. Intuitive design is critical for OTC success.

• Etienne Nichols on LinkedIn
• Greenlight Guru Medical Device Classification Webinar with Mike Drues (for explanation on device classes)
• FDA Guidance: “Factors to Consider When Making Benefit-Risk Determinations in Medical Device...