top of page
Search

Securing Life-Critical Technology: A Conversation with Jacob Combs on Medical Device Cybersecurity

ree

When your insulin pump connects to your phone, or your glucose monitor shares data with the cloud, is it secure? More importantly—what does "secure" even mean?

These are the questions at the heart of my recent conversation with Jacob Combs, Chief Information Security Officer and VP of Cybersecurity at Tandem Diabetes Care. Jacob brings deep expertise from across telecom, defense, financial services, and healthcare—and now protects connected devices that deliver life-sustaining insulin therapy to people with diabetes.

This wasn't just another cybersecurity conversation. We explored the unique intersection of safety, usability, and security in medical devices—where the ultimate risk isn't data loss or financial impact, but death.

The Mission-Driven Imperative (02:12)

Jacob's path to medical device security wasn't accidental. After years in financial services and defense, he found himself drawn to work where the stakes are deeply personal.

"I love this work because we're helping people," Jacob explained. "It's mission driven. But the second aspect is that it's a little bit daring in the way that the ultimate risk is death. Someone can actually die from misuse or an attack on the devices that we make. That level of intensity mixed with mission-driven business—that's what I'm looking for."

This intensity shapes everything about how security operates in medical devices. It's not just about protecting data or preventing breaches. It's about keeping people alive while they go about their daily lives.

Balancing Three Competing Priorities (03:16)

What makes medical device security fundamentally different from enterprise IT security? It's the constant tension between three competing priorities:

Usability → Patients need to deliver therapy immediately, without friction Safety → The device must function exactly as intended, without compromise Security → We must protect against threats without creating new risks

Jacob illustrated this with a compelling example: "Every time you want to give yourself a bolus, you have to do multifactor authentication because of security. That is a safety risk because now you've added this third party or this situation into the therapy potentially that could fail and then cause that person to miss their therapy."

The balance isn't theoretical—it's written into standards like TIR 57, which explicitly describes how to weigh security risk against safety risk. For insulin delivery systems, integrity is paramount. "We need to protect the integrity of the information and the data being shared," Jacob emphasized. "There's no way that data will be changed or modified." (15:00)

The Complexity of Interoperable Systems (17:17)

Type one diabetes management systems are at the forefront of medical device interoperability—and with that comes extraordinary complexity. An insulin pump, CGM, control algorithm, smartphone app, and cloud services all need to work together seamlessly. Each component may come from a different manufacturer, with different communication protocols and security models.

Testing, validating, and pushing updates across this ecosystem isn't a simple task. "We have different products over time, and the communication protocol is not the exact same," Jacob noted. "So we have these differences in the way we do things. There's a lot of complexity in our environment."

And the user base? Equally complex. "There's no unique community," Jacob explained. "Everyone is different—socioeconomic status, age, forward-thinkingness, it's all over the place. Some of them don't ever want to touch their device because it works how they want. Some of them want the fanciest tweaks so they can make their algorithm do X, Y, and Z."

This diversity means that even a simple security feature could alienate users if it's too complicated or disrupts their daily routines.

Security as a Growth Engine (37:25)

Here's where Jacob challenges conventional thinking in the security community. At the first CyberMed conference, the prevailing wisdom was that cybersecurity isn't competitive—that companies shouldn't charge for security features. But Jacob sees it differently.

"Product security isn't just a shield, it's a growth engine," he told me. Not because Tandem would ever charge separately for security (they wouldn't—that would put patients at risk), but because strong security posture creates competitive advantage.

"We can lead the front saying, look, we've taken these significant efforts to protect your device, to protect this ecosystem," Jacob explained. "We can use that in our marketing, use that in our forward looking. When we make tender agreements in Europe, we can say, hey, this is what we're doing and here's why we are a leading device when it comes to security."

There's another benefit: security drives quality. "As you improve security, it drives quality in other areas as well," Jacob noted. "Security is an engineering function that you have to do things very precisely and well. That automatically creates much stronger testing, much more robust use case scenarios. It just adds a lot more to the quality of the device and permeates this improvement across all areas." (39:32)

Threat Modeling as a Cultural Transformation (55:25)

One of the most powerful insights from our conversation was about threat modeling—not as a document or deliverable, but as a verb that transforms engineering culture.

"Threat modeling is not run by the security team," Jacob explained. "It's run by the actual developers themselves or the architects themselves. Because what we found is the best way to influence them above anything else. We go through this process with them and the light bulb comes on in their head and then they run with it."

This approach creates a cascading effect. Engineers who understand threat modeling start thinking like security professionals. They anticipate risks. They design with security in mind. "After doing that for a while, it creates this culture where they start coming to us with, 'oh, we thought about this.' They think of it on their own instead of us having to point it out all the time."

This cultural shift is essential for scaling security in organizations where development teams outnumber security teams 10 to 1 or even 15 to 1.

But Jacob was adamant: the human thinking process behind threat modeling can't be automated away. "I see threat modeling as a deep understanding of how the system works and making sure that everyone's on the same page. The knowledge needs to stay in the right place. A lot downstream can be automated, but this piece needs to be maintained." (58:00)

Legacy Devices and Security Debt (59:23)

Every medical device company faces the challenge of security debt—vulnerabilities in fielded devices that can't be easily patched. One colleague of mine once quipped that "what they call legacy devices in my company are the money makers, the revenue generators."

Jacob's approach to security debt is pragmatic and risk-based. First, identify what's on the "hot list"—immediately exploitable vulnerabilities. Then have an honest conversation with the business: Is it technically feasible to fix? Did all the developers who wrote this code leave the company years ago?

Often, the answer involves compensating controls—putting a firewall or web application firewall in front of vulnerable systems to wall them off from exploitation. But Jacob insists on something critical: a plan to actually fix it. "I write this in all my policies now—you have to have some plan for undoing this, for actually fixing it in the long term."

The conversation around legacy security is changing, driven by two forces: more sophisticated tools that can prioritize risks automatically, and customers who now require security updates in their contracts. "As you work with your different partners or your customers, they actually require you to do it before they'll even buy from you," Jacob noted. (01:03:00)

The Regulatory Paradox (43:57)

I asked Jacob a question I knew would be provocative: If regulatory barriers weren't an issue, how much faster could medical device companies adopt better cybersecurity postures?

His answer surprised me, though in retrospect it shouldn't have: "I think the regulatory barrier is the reason they were able to adopt good security postures. I think it would be actually, given the history of our industry, the wrong direction."

This is the regulatory paradox. Yes, FDA requirements create documentation burden. Yes, verification and validation is time-consuming. Yes, the quality management systems are designed with methodologies from 15 years ago that make rapid iteration difficult.

But those requirements also give security leaders like Jacob the leverage they need to drive programs forward. "It's not optional," he said. "That is a big leg up over other industries where they're trying to push security into the product, but there's no regulatory or legal push that requires it."

What needs to change isn't the requirement to secure devices—it's the process of documenting and validating that security. "If we could see continuous integration/continuous deployment, which frankly I think with AI is coming, that you can't be much farther off—where we're able to have all of that difficult administrative work be done for us—we could move much more quickly." (51:23)

What's Next

The future of medical device cybersecurity isn't just about better tools or faster processes. It's about culture, collaboration, and a shared commitment to protecting patients.

Jacob's parting advice to startup founders in this space? "Take security seriously from day one. When you're designing your device, figuring out what you want to do, make sure you incorporate and think about at least the roadmap or the possibility for how you're gonna put security on that device from day one. It'll make it much easier, much less rework or rethinking you have to do." (01:12:00)

As someone who works at the intersection of innovation and regulation, I left this conversation energized. The challenges are real—interoperability, legacy systems, regulatory complexity, diverse user populations. But leaders like Jacob are navigating them with intelligence, pragmatism, and an unwavering commitment to patient safety.

The ultimate measure of success in medical device cybersecurity isn't the absence of vulnerabilities. It's a child with type 1 diabetes living a normal life, trusting that the technology keeping them alive is secure, reliable, and working exactly as intended.

Listen to the full episode:

This episode of Inside MedTech Innovation explores the unique challenges of securing connected medical devices that deliver life-sustaining therapy. Topics include threat modeling as a cultural practice, managing security debt in legacy systems, balancing safety and security risks, and why regulatory requirements can be a competitive advantage. This post was generated from the full episode transcript with AI assistance to capture and synthesize the key insights from the conversation.

 
 
bottom of page