Why Medical Device Security Budgets Get Cut (And What Actually Works)

Oleg Yusim has built cybersecurity teams at Baxter, Edwards Lifesciences, and Illumina. At each company, he faced the same challenge: products shipping with shared passwords, executives questioning the business case, and security budgets under constant scrutiny.

The pattern repeated. Leadership would say cybersecurity mattered. Then came questions about cost, timeline impact, and whether partial security was acceptable.

Most security leaders struggle with these conversations. Oleg learned to navigate them by translating cybersecurity into business terms executives already use.

Hospital Integration as a Revenue Driver

When Oleg joined Baxter in 2016, dedicated medical device cybersecurity teams were rare. FDA had published a nine-page guidance two years earlier. The industry was still figuring out what this actually meant in practice.

"Back then, we didn't have any patterns or templates to work with," Oleg said. "It was pure exploration."

That exploration revealed something practical: security features directly affect revenue timing.

Hospitals now ask medical devices to integrate with their monitoring systems, connect to Active Directory, and demonstrate secure data handling. Devices without these capabilities spend more time in procurement while competitors move forward.

"You're starting to get your revenue quicker," Oleg said. "It's not just speed of sale, it's speed of integration."

For product marketers: if your device lacks monitoring capabilities, Active Directory integration, or documented secure connection protocols, that's information your sales team needs when they're losing deals.

The 25% Problem

Consider two approaches to the same executive conversation:

Approach 1: "Our cybersecurity needs improvement. I need $2 million."

Approach 2: "We're at 25% of target. FDA guidance suggests 80%. Customer requirements average 75%. Industry benchmark shows 60%. Here's what that gap costs us."

The second approach works because it provides context for the number.

Oleg builds metrics as percentages of total requirements. If he has 300 security requirements and the product implements 75, that's 25%. He then shows where different stakeholders expect the company to be:

→ FDA guidance expectations 

→ Customer contract requirements 

→ Industry benchmark data 

→ Current implementation status

"There will be horizontal lines crossing all those bars," Oleg explained. "It would say FDA guidance expects us to be at 80%. Customer requirements expect us to be at 75%."

The executive sees regulatory exposure, competitive positioning, and customer friction without needing to interpret technical security concepts.

What Defense Contractors Miss

A cybersecurity founder approaches Oleg. Former defense contractor. Solid technology. Proven in classified environments. Ready for medical devices.

Oleg's first reaction: concern.

"In DoD environment, you have a mandate for security," he said. "There's very clearly written regulation. Any DoD organization must do this from security perspective."

Defense contractors build for mandates. Medical device companies build for business cases that have to compete with other priorities.

The technology might work technically. But if it doesn't address a problem the industry is actively struggling with, it won't get adopted regardless of technical merit.

Oleg's advice to that founder:

→ Talk to product security leaders at multiple companies 

→ Bring detailed technical specs, not overview presentations 

→ Spend time at whiteboards discussing actual integration challenges 

→ Listen for what they're struggling with day-to-day 

→ Consider whether your solution matches their real problems

"Make sure it actually does solve the industry pain points," Oleg said. "And if it doesn't, then maybe pivot it a little bit."

Why Integrity Matters More Than Confidentiality

Most people think medical device cybersecurity centers on data breaches. Patient records stolen. Privacy violations.

Oleg reframes that: "Confidentiality is kind of thrown on its head in medical devices."

The primary concern is integrity. Someone who can modify an infusion pump's drug prescription creates direct patient harm. Someone who compromises a medical device as an entry point into the hospital network can launch ransomware affecting entire systems.

HIMSS reports that 5-10% of hospital cyberattacks originate from compromised medical devices. That's documented industry data, not theoretical risk.

"It's always a question: How much is enough?" Oleg said. "We want product security, but how much product security is enough?"

The answer depends on risk tolerance, not technical perfection.

Budget Conversations That Work

You're requesting three positions at $300K each—$900K total with overhead.

The executive declines the full amount.

What happens next?

"I will say, okay, give me 300," Oleg explained. "We will mitigate part of the risk you have and you will have to deal with the rest of it."

This isn't conceding defeat. It's documenting what gets covered and what doesn't.

The executive now understands which risks get addressed with the reduced funding and which remain open. If issues arise later, there's clarity about what was resourced and what wasn't.

"It's all about risk appetite of the company and risk acceptance," Oleg said. "That is why they run the company, not me. They have much more context."

Many security leaders struggle here because they present all-or-nothing options. Oleg succeeds by quantifying partial coverage clearly enough that executives can make informed trade-offs.

The Core Question

Before Oleg enters any executive conversation, he asks himself: "Why is the money I'm proposing to spend a good deal for the company?"

Not: "Why is this technically necessary?"Not: "Why does FDA require this?"Not: "Why are we vulnerable?"

But: "Why will the company benefit more than the cost if we proceed this way?"

That question drives the data selection, benchmark comparison, risk quantification, and mitigation options.

"We wanna make more money tomorrow than we did today," Oleg said. "We wanna develop our company in the right way. We wanna keep good reputation. Any kind of proposition we evaluate from that angle."

It's not just financial. It's about sustaining the business that serves patients. Maintaining capability to keep developing useful products. Building the foundation to continue making a contribution.

Framed that way, the decisions become clearer. Not security versus revenue. Sustainable operation versus failure modes that prevent any future contribution.

What This Means in Practice

If you're developing medical devices, three areas matter for practical implementation:

Integration speed. Can hospitals onboard your device efficiently? Does it work with their existing monitoring and authentication systems? These affect procurement timelines and competitive positioning.

Measurable positioning. Generic security claims don't differentiate. Specific metrics about where you stand relative to industry benchmarks and regulatory expectations give procurement teams concrete comparison points.

Risk translation capability. Your security team needs to communicate in business terms. If they can only discuss technical vulnerabilities without connecting to revenue impact or competitive dynamics, they'll struggle in resource allocation discussions.

Companies that handle cybersecurity well in the next several years won't necessarily have perfect security. They'll have security programs that can articulate business value clearly enough that executives understand the trade-offs before they're forced to react.

Listen to the full episode with Oleg Yusim: https://creators.spotify.com/pod/profile/shannon-lantzy