See All Nexus 2025 Sessions
Claroty Nexus Logo
Topics:
See all in Cyber Resilience See all in Articles
See all in Videos
See all in Podcasts
On this episode of the Nexus Podcast, Health-ISAC VP of Medical Device Cybersecurity Phil Englert discusses the cybersecurity risks introduced by legacy technology in healthcare and how it impacts patient care and safety. He also brought context and insight into the U.S. Food and Drug Administration's (FDA) updated guidance on cybersecurity requirements for medical devices aimed at manufacturers and premarket product submissions.
Healthcare
Cyber Resilience
Vulnerability Management
Risk Management
Technical Debt

Nexus Podcast: Health-ISAC's Phil Englert on Medical Device Cybersecurity

Michael Mimoso
/
Apr 8, 2026

Cybersecurity and patient care are often part of the same discussion. And with good reason as healthcare devices critical to diagnoses and treatments cannot afford disruption or manipulation of information because of a cyberattack.

Phil Englert, VP, Medical Device Security, Health-ISAC, often finds himself and the information and analysis center as a conduit for discussions between medical device manufacturers and healthcare providers to ensure that risks to patient care are minimized on the cybersecurity front.

On this episode of the Nexus Podcast, Englert discusses the cybersecurity risks introduced by legacy technology in healthcare and how it impacts patient care and safety. He also brought context and insight into the U.S. Food and Drug Administration's (FDA) updated guidance on cybersecurity requirements for medical devices aimed at manufacturers and premarket product submissions. The guidance proposes stricter secure development processes, software component tracking, and more.

FDA's Secure Software Development Guidance

Englert said that the disparity between component (operating systems, software and firmware libraries) lifecycles meant to last a half-decade, and medical devices expected to be in service for up to two decades presents governance and remediation challenges. Thrown into question often are code safety, authentication, and whether devices can be updated to address vulnerabilities, Englert said.

"That's one of the key areas that I work with both healthcare providers and medical device manufacturers to work through and negotiate [those areas] to understand what the risks are, what the impacts are, were those risks to be actuated on the devices?" he said. "How they could be managed, whether that's through patching and updating, improved monitoring, isolation, or having a response plan different than a response plan that you might have for traditional IT, where it's restored from backup and reconfigure. Medical devices have to be brought back up much quicker so that we can continue on with the patient care mission that we have."

The FDA's updated guidance carries on its stated goal of equating cybersecurity with device quality and patient care. It proposes stricter secure development processes be instituted, including software component tracking, managing vulnerabilities, and maintaining secure development practices.

"One of the brilliant things that I thought the FDA did was when it said cybersecurity is a quality issue. If your device could be made to do something that it's not intended to do, we've got a problem," Englert said. "I love that approach because it gives them a very broad base with which to operate from."

Healthcare's Legacy Technology 'A Challenge'

Legacy technology remains a significant risk within healthcare. Any security-related updates to medical devices and other critical patient care systems must obtain FDA approval before implementation. While the number of attacks directly affecting medical devices is limited, healthcare delivery organizations nonetheless face significant windows of exposure to newly discovered vulnerabilities.

"Legacy is a challenge. Again, the disparity in component lifecycles versus product life cycles means that almost every device will become legacy at some point," Englert said. "The real key to managing the risks around that is to understand what the threats are and then what the impacts are, so that we're spending our resources to reduce the negative impacts that these devices can have on patient care, patient safety, and data protection."

Healthcare
Cyber Resilience
Vulnerability Management
Risk Management
Technical Debt
Michael Mimoso
Editorial Director

Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.

Stay in the know Get the Nexus Connect Newsletter
Subscribe
Listen on Apple Podcasts. Listen on Spotify Podcasts.
Share
LinkedIn Twitter Facebook Email
Featured Articles
Considerations for Medical Device Vulnerability Remediation Technical Debt in OT Environments: How It's Different and Why it Matters The Purdue Model's Risky Blindspot
Featured Videos
Browse by Topics
Cyber Resilience Cybersecurity Insurance Federal Food & Beverage Healthcare Industrial Internet of Things Nexus Conference Operational Resilience Operational Technology Ransomware Risk Management Technical Debt Vulnerability Management Zero Trust
You might also like… Read more
On this episode of the Nexus Podcast, Rafael Arakelian, the OT/IoT Cybersecurity Manager for Accenture, joins to discuss the inner workings of Operation Grim Beepeer, a 2024 Israeli operation that used booby-trapped pagers and walkie talkies to injure or kill Hezbollah members. Raphael studied the technical, cybersecurity, and supply-chain risks involved in this operation, and shares how those lessons can be applied to operational technology.
Industrial
Cyber Resilience
Operational Technology
Operational Resilience
Risk Management

Nexus Podcast: Raphael Arakelian on Operation Grim Beeper

Michael Mimoso
Adm. Michael S. Rogers, USN (Ret.) joins the Nexus podcast to discuss the Biden administration's National Cybersecurity Strategy, and its themes of cyber resilience and critical infrastructure protection.
Risk Management
Cyber Resilience

Nexus Podcast: Adm. Michael Rogers on the Job of NSA Director

Michael Mimoso
On this episode of the Nexus Podcast, Michael Pyle, Director of Product Cybersecurity at Schneider Electric (SE), joins the Nexus Podcast to discuss Internet Exposure Prevention, a new SE approach to preventing illicit connections to internet facing OT and industrial control systems (ICS) that are insecurely connected to the internet.
Operational Technology
Operational Resilience
Risk Management
Cyber Resilience
Industrial
Vulnerability Management

Nexus Podcast: Michael Pyle on Securing Internet-Facing OT, ICS Assets

Michael Mimoso
gus.jpg
Industrial
Cyber Resilience
Vulnerability Management
Operational Technology
Operational Resilience

Nexus Podcast: Gus Serino on the Efforts of a Massachusetts Water Cybersecurity Collaborative

Michael Mimoso
ricci-s4pod.jpeg
Vulnerability Management
Operational Technology
Operational Resilience
Cyber Resilience
Industrial

Nexus Podcast: Dan Ricci on Four Years of the ICS Advisory Project

Michael Mimoso
On this episode of the Claroty Nexus Podcast, Dan Gunter, CEO and founder of Insane Cyber, lays out the challenges—and sometimes steep costs—of generating data that’s truly representative of the production environment rather than exclusively relying on a lab environment or emulation.
Operational Technology
Operational Resilience
Cyber Resilience
Risk Management

Nexus Podcast: Dan Gunter on Generating OT Data to Train Security Products

Michael Mimoso
OT cybersecurity expert Mike Holcomb joins the Nexus Podcast live from S4 Conference in Miami to discuss how state actors may be leveraging hacktivists to target operational technology (OT). Holcomb has delineated these groups in what he calls a Converged Actor Framework that categorizes threat actors by the impact and frequency of their incidents. A converged actor is potentially the riskiest given the potential for high frequency high impact incidents.
Operational Technology
Risk Management
Cyber Resilience

Nexus Podcast: Mike Holcomb on the Intersection of Hacktivists and State Actors

Michael Mimoso
In this episode of the Nexus Podcast, CISA ICS Cybersecurity Lead Matthew Rogers discusses new guidance from the agency on the use of security operational technology (OT) protocols, titled “Barriers to Secure OT Communication: Why Johnny Can’t Authenticate.” The paper advocates for the use of secure versions of legacy OT protocols, or the adoption of open standards by OEMs, in order to bring authentication and integrity to OT protocol communication.
Cyber Resilience
Industrial
Operational Resilience
Operational Technology
Risk Management
Vulnerability Management

Nexus Podcast: CISA’s Matthew Rogers on Secure OT Protocol Communication

Michael Mimoso
Jay C. Catherine, a security architect for a major retailer, joins the Nexus Podcast to discuss best practices for logistics cybersecurity within the retail space. This includes securing not only distribution, but also the operational technology involved in these manufacturing processes.
Industrial
Internet of Things
Cyber Resilience
Operational Resilience
Operational Technology

Nexus Podcast: Jay Catherine on Securing Logistics, OT in Retail

Michael Mimoso
On this episode of the Nexus Podcast, Greg Garcia, Executive Director of The Health Sector Coordinating Council Cybersecurity Working Group, discusses the Sector Mapping and Risk Toolkit (SMART). SMART contains a set of 17 templates that enable healthcare organizations to map and visualize workflows, identify areas of risk, and where mitigations are most desperately needed.
Healthcare
Risk Management
Operational Resilience
Cyber Resilience

Nexus Podcast: Greg Garcia on the Sector Mapping and Risk Toolkit for Healthcare

Michael Mimoso
nexus_frenz.jpg
Healthcare
Vulnerability Management
Risk Management
Internet of Things
Cyber Resilience

Nexus Podcast: Christopher Frenz on Evidence-Based Security

Michael Mimoso
Adm. Michael S. Rogers, USN (Ret.) joins the Nexus podcast to discuss the Biden administration's National Cybersecurity Strategy, and its themes of cyber resilience and critical infrastructure protection.
Cyber Resilience
Healthcare
Industrial
Operational Resilience
Risk Management

Nexus Podcast: Adm. Michael Rogers on Deterrence in Cyberspace

Michael Mimoso
Latest on Nexus Podcast
See all episodes
The Nexus podcast features conversations with security leaders, researchers, and experts sharing their expertise on cyber-physical systems security.
On this episode of the Nexus Podcast, Health-ISAC VP of Medical Device Cybersecurity Phil Englert discusses the cybersecurity risks introduced by legacy technology in healthcare and how it impacts patient care and safety. He also brought context and insight into the U.S. Food and Drug Administration's (FDA) updated guidance on cybersecurity requirements for medical devices aimed at manufacturers and premarket product submissions.
Healthcare
Cyber Resilience
Vulnerability Management
Risk Management
Technical Debt

Nexus Podcast: Health-ISAC's Phil Englert on Medical Device Cybersecurity
On this episode of the Nexus Podcast, Rafael Arakelian, the OT/IoT Cybersecurity Manager for Accenture, joins to discuss the inner workings of Operation Grim Beepeer, a 2024 Israeli operation that used booby-trapped pagers and walkie talkies to injure or kill Hezbollah members. Raphael studied the technical, cybersecurity, and supply-chain risks involved in this operation, and shares how those lessons can be applied to operational technology.
Industrial
Cyber Resilience
Operational Technology
Operational Resilience
Risk Management

Nexus Podcast: Raphael Arakelian on Operation Grim Beeper
Adm. Michael S. Rogers, USN (Ret.) joins the Nexus podcast to discuss the Biden administration's National Cybersecurity Strategy, and its themes of cyber resilience and critical infrastructure protection.
Risk Management
Cyber Resilience

Nexus Podcast: Adm. Michael Rogers on the Job of NSA Director