The Real Talk:
- Why a life-saving implanted defibrillator is also a 24/7 connected device transmitting your most sensitive biometric data—and what happens if that data gets compromised
- The uncomfortable parallel between “we didn’t want to enable MFA” and “we didn’t think we needed a cardiologist”
- How a near-death experience reframed everything our team thinks about continuous monitoring, proactive security, and the cost of waiting until after the incident
A Closer Look:
The Device That Knows You Better Than You Do Victor Barge, IT Audit Labs’ Global Delivery Director, joins us with a story that’s equal parts harrowing and eye-opening. After suffering ventricular tachycardia—Victor now has an data-driven defibrillator implanted in his chest. It learns his patterns, adjusts its shock thresholds as he gets healthier, and transmits real-time biometric data to a monitoring center through his phone via Bluetooth. The technology is nothing short of remarkable. But the moment you start thinking about it as a connected device rather than a medical one, the security questions get very uncomfortable very fast.
The Data You Didn’t Know You Were Handing Over Victor’s defibrillator knows when he’s at the gym, how his heart responds to stress, what his baseline looks like at 6am versus 6pm, and when something’s wrong before he does. That’s an extraordinary amount of personal data flowing continuously to third-party monitoring centers. And unlike choosing a password manager, Victor didn’t get to pick the device, the vendor, or audit their security practices. He was handed a supercomputer for his chest and told to go live his life. The lesson? The burden of securing that data has to sit with the manufacturers and the organizations managing it—because patients don’t get a say.
When the Painful Fix Is the Right Fix The episode produced one of the more visceral analogies we’ve ever stumbled into. Victor’s paramedics, unable to find a vein, drilled a needle directly into his bone to administer life-saving medication—while he was fully conscious. Brutal? Absolutely. Necessary? Without question. Eric Brown, CISSP and Nick Mellem connected the dots: sometimes the right security remediation is just like that. Organizations running without MFA, storing passwords in spreadsheets, or carrying years of unaddressed tech debt don’t always get a gentle recommendation. Sometimes the right call is “this is going to hurt, but we’re doing it now.” Waiting until after the cardiac event to install the defibrillator is not a strategy.
Continuous Monitoring Isn’t Just a Sales Pitch Victor’s defibrillator doesn’t clock out on weekends. It doesn’t wait for the quarterly review to flag an anomaly. It knows his history, tracks his trends, and acts in real time. Victor put it plainly: if his device can call for help the moment something goes wrong with his heart, why are organizations still treating security monitoring like a once-a-year audit event? The same philosophy applies. Attackers don’t observe business hours. Neither should your detection capability.
Bottom Line:
Victor Barge survived a cardiac arrest, three heart surgeries, and an intraosseous needle to the bone while conscious. He came back to work and immediately started asking the right questions about data security. That’s the spirit this industry needs more of. The organizations that win aren’t the ones that scramble after the breach—they’re the ones that treat proactive security the same way a good cardiologist treats a high-risk patient: continuous monitoring, adaptive thresholds, and a hard line against skipping the fundamentals.
You don’t get to pick your defibrillator in an emergency. You do get to pick whether you have MFA before someone else makes that decision for you.
Tune into the full episode to hear Victor’s real-time account of what it felt like to have his heart rate adjusted wirelessly in a doctor’s office, why Eric wants access to Victor’s heart data, and what a 500,000-unit pacemaker recall tells us about the state of medical device security.
🔗 Ep 83 – The Supercomputer in His Chest: What a Defibrillator Taught Us About Data Security
Listen wherever you get your podcasts – Subscribe to our YouTube channel to stay up to date on breaking cybersecurity news.
Learn more at www.itauditlabs.com
