When Oleg Yusim joined Baxter in 2016 as one of the first dedicated medical device security architects, the industry was just beginning to understand that shared PINs like "4444" across entire product fleets weren't acceptable security. Ten years later, as Chief Product Security Officer at Illumina, he's mastered something far more difficult than technical security: translating cybersecurity risks into language that CEOs, CFOs, and boards actually understand and act on.
In this conversation with Shannon Lantzy, Oleg breaks down why medical device cybersecurity fundamentally differs from enterprise IT (hint: confidentiality takes a backseat to integrity and availability when lives are at stake), how to use data-driven benchmarks to show executives where they stand against competitors, and why the question isn't "can we afford this security investment" but rather "does this help us survive and do good in the world, or does it push us toward failure?" He also shares pointed advice for cybersecurity startups trying to break into medtech: elegant technical solutions mean nothing if they don't solve the industry's actual pain points, and coming from a DoD environment often raises red flags because commercial companies won't accept the productivity hits that military mandates require.
Timestamps:
[00:00:00] Introduction and Oleg's recent AI hackathon success
[00:03:40] How coincidence and life-critical systems shaped his career path
[00:06:25] The jump from military communications to medical devices at Baxter
[00:09:30] What it was like being a security architect when the field barely existed
[00:11:05] Why medical devices had rudimentary security before 2014
[00:13:00] CIA triad differences: why confidentiality isn't king in medtech
[00:16:00] Integrity attacks on infusion pumps and why "nobody would do that" isn't valid
[00:18:25] Medical devices as perfect attack footholds for hospital networks
[00:20:40] HIMSS data: 5-10% of hospital attacks start from compromised devices
[00:22:20] Building product security teams and changing company culture
[00:26:10] The CEO presentation: three slides with data, thirty slides in your pocket
[00:28:15] How to quantify cybersecurity posture as percentage of requirements met
[00:30:55] Using benchmarks: FDA guidance, customer requirements, and competitor analysis
[00:33:20] Why better security means faster sales and integration
[00:36:50] Headcount vs vendor costs in security budgets
[00:40:20] Risk acceptance conversations when budgets get cut
[00:42:20] The critical importance of data-driven decision making
[00:44:25] Framing security investments as business survival, not just cost
[00:47:30] Advice for cybersecurity startups targeting medtech
[00:49:30] Why DoD-derived solutions often miss commercial pain points
[00:52:20] Rapid fire questions
Follow Shannon and Oleg:
Connect with Shannon:
LinkedIn: https://www.linkedin.com/in/shannonlantzy
Website: https://www.shannonlantzy.com/
Connect with Oleg:
LinkedIn: https://www.linkedin.com/in/olegyusim
Website: https://www.illumina.com/