Avoid the Dumb Tax: Cybersecurity Lessons for MedTech Startups with Steve Bell | Ep. 5

In this episode of The Med Device Cyber Podcast, the hosts welcome Steve Bell, a seasoned veteran with over 35 years of experience in the MedTech industry. Steve shares his extensive background, which began with a 16-year tenure at Johnson & Johnson where he was part of the pivotal transition from open surgery to minimally invasive laparoscopic procedures. His career also included roles in cardiovascular and women's health divisions and even early involvement with the robotics company Intuitive Surgical. After leaving the corporate world, Steve immersed himself in the challenging California startup scene, experiencing both successful ventures and spectacular failures, which he refers to as paying the "dumb tax." His journey culminated in a six-year stint as CEO of CMR Surgical, a soft-tissue surgical robotics company. Now semi-retired, Steve dedicates his expertise to mentoring the next generation of MedTech entrepreneurs, helping them avoid common pitfalls on their path to market. The central theme of the discussion is the harsh reality and strategic necessities of launching a successful MedTech startup. Steve argues that many founders, especially those with brilliant clinical or academic ideas, often underestimate the non-technical aspects of building a business. He strongly emphasizes that the single most important job of a startup's CEO is fundraising, as cash flow, or "burn rate," is the lifeblood that determines survival. The conversation delves into the "go big or go home" mentality prevalent among investors. Steve explains that because the due diligence process is just as intensive for a small investment as it is for a large one, investors and corporate strategics are primarily interested in ideas that target massive markets with the potential to generate returns in the hundreds of millions. The podcast also specifically addresses the critical role of cybersecurity, which is often treated as an afterthought by new companies. The hosts and Steve concur that security cannot be simply "bolted on" late in the development cycle. Instead, it must be a core component from the very beginning, integrated during the initial requirements and design phases. Neglecting this leads to costly redesigns, significant delays in regulatory submissions (like FDA or MDR clearance), and a rapid depletion of funds. Steve's overarching advice for aspiring MedTech founders is to get educated, build a network of experienced mentors, and clearly define their end-game—including the commercialization strategy and exit plan—before a single screw is turned. He highlights the crucial distinction between intelligence and experience, urging entrepreneurs to learn from the costly mistakes of others to increase their own chances of success.

Christian: Welcome to the Med Device Cyber podcast. Today we have a guest, Steve. Steve's been in the industry quite a while and he brings some valuable insights in and to help startups through their journey to get their device to market. You want to introduce yourself a little bit, Steve? Steve: Yes, sure. Uh firstly, thank you for having me on. So it's a a real pleasure to be here. Yes, my name is Steve Bell and for those that don't know me, um, you'll know I wear purple if you ever see me on LinkedIn. That's how you can find me. Um, yeah, I've been in med device for just over 35 years and I started my career at Johnson & Johnson, did 16 years there, did the whole transition from open surgery to laparoscopic, so have a lot of uh, a lot of fondness for that whole minimally invasive side of things. Steve: Then I did a cardiovascular division within J&J, a women's health division, and I was actually part of the team that was looking at uh Intuitive back in the very early days, um, when when they were just getting going. Um, I I then left J&J and I did um, the California startup thing. So I used to commute between Rome and Los Angeles every two weeks. Did that for almost 10 years, which was um interesting. Christian: That'd be exhausting. Steve: Yeah, it wa it was, it was. You kind of get used to it though, you get into the ro... the 405 was actually worse going down from Los Angeles to Irvine was worse than the uh transatlantic, which was quite bonkers really. Yeah, it took me longer sometimes to get down the 405. So, um, yeah, so I I did multiple like hardcore startups, you know, where I literally me and like Brad Sharp started some of the industry um uh companies that we did in a cupboard in, you know, in a small cupboard, literally. Uh, one of the startups was called InSitech that we did there. Steve: Did that for a long time, did a couple of turnaround companies and then I sort of retired, um, you know, crashed and burned a few startups quite spectacular, uh, which is uh where you get the most learning. Um, but did, did well in a few, flipped a few, um, and then I was contacted by uh a really good guy called Martin Frost who was the CEO of CMR Surgical, which is a soft tissue surgical robotic company. Steve: And Martin twisted my arm and, you know, I I was went there for six months to basically go and set them up a commercial team and ended up being there six years. And I said, okay, I think that's long enough now. Uh, and then I uh last September I stepped out and um, since then I'm, I'm sort of semi-retired but trying to help the industry, you know, surgeons, young entrepreneurs, startup engineers, to really try and learn all the mistakes that, you know, I've made and a lot of my friends make in startups so they don't make the same mistakes. So, yeah, so I'm doing a lot of that really at the minute is trying to help startups to startup the right way. Christian: Yeah, awesome. I call that the uh, the dumb tax. In my first cybersecurity company, I, I paid a lot of the, the dumb tax as they say, you know. Hopefully I'll pay less of it this time, you know. It's always a little bit of tax we have to pay. So that's, that's a great way you're doing. You know, hopefully, you're helping people avoid some of that dumb tax, you know. Steve: And, and, you know, and, and in medtech startups, that's a really expensive dumb tax. I mean, it it can literally, you know, sink your company. You know, a small decision like, you know, putting the company in the wrong place, um, can easily derail your company and make it hard to raise follow-on rounds. So I'm, you know, I, I have a, a website called howtostartupinmedtech.com, tried to keep it easy. Steve: Um, and there, and on there, you know, there's, there's like a 100-video online course that people can take and it's basically just me um blathering on for a good long while in about 100 videos, um, trying to just tell people the mistakes not to make and trying to give them some insights of what, you know, really helps with a medtech startup. That's what kind of I do most days. Christian: Yeah, I've taken part of your course. I know you have this idea in there like, it's kind of go big or go home. You want to elaborate on that a little bit? Steve: Yeah, so, um, I need to, I need to be careful how I say this, because there are small ideas for small disease states or orphan disease states that are really noble and should be absolutely followed. But my course is really about how you build a medtech business. And unfortunately what I've just realized is the investors um really don't want to invest into anything that where they can't get big returns. Steve: It's it's been clear to me that investors, um, whether they invest a million or 10 million, it's kind of the same work for them. It's the same diligence, it's the same risk for them. So they'd rather put 10 million in and get a bigger return over the long run. So I try to encourage people that if you're gonna think of a long-term, rather than uh, you know, a nonprofit company, if you're trying to make a for-profit company, you need to be in big ideas, big spaces where, you know, there's the potential to make a hundred million in revenue by year 10, or it's very hard to get investors to get excited. And, um, you know, sad but true. Christian: Awesome. So you said 100 million by year 10. Is that kind of like the golden standard? Steve: Yeah, it's kind of if you, if you look at the, the the math on this, um, if you're not getting at least those kind of numbers, it's really hard to make the profit that you need to make and and do, do the kind of growth that you need to make and be interesting. If you're not doing 100 million or the opportunity is not worth 100 million, you don't necessarily have to get there, although I'll talk about exits in a minute. Steve: Um, it's not that exciting for a strategic, you know, a strategic to have a, you know, if you're a Johnson & Johnson or a Stryker or a Medtronic and you're trying to bolt on 10 million of of extra sales onto your, you know, multi-billion sales, it doesn't kind of move the dial, so it's hard to get people very excited. It's not impossible, but it seems to be that if it's a, you know, 100 million, billion, two billion opportunity, um, they seem to get excited about that a lot more. And I, I get it, right, that that's the nature of strategics and business. Steve: The interesting thing is as well, you know, you have to sort of aim big. Most people don't realize that 85% of medical device startups will fail. And a lot of them fail because they never get to profit. Um, so they're forever trying to raise money and they, they run out of that ability to do that sooner or later. Steve: And then the second thing is it's taking on average now, you know, when I first started doing startups in sort of 2005, you could potentially file some IP, get some R&D prototypes made, and you could flip the idea on a very early stage to a strategic that wanted to bolster their portfolio. Then it became, um, you know, we, you know, we want to make sure that you, you've, you know, got some first in human. And then it became now we want some regulatory clearances. Then it became we want you to have got at least some commercial success. Steve: And now the strategics, you know, in their risk aversion are sort of, not all the time, but most of the time now are saying, you know, we want to see good commercial traction. So that for any company takes between 10 and 15 years. So the, the average exit time now for a medtech startup is between 10 and 12 years, average. So, you know, it's, it's got to be a big opportunity if you're gonna put 10 years of your life into it. Christian: Yeah, that's a pretty big commitment. In terms of, since this, we talk about cybersecurity in our podcast, in terms of cybersecurity, when do you first hear some of these startups even like consider the idea or do they even think about it or is it like they're, they're kind of forced to do it and they don't really want to do it. Like what, what is your perspective or what's a lens you kind of see, see through with this? Steve: Yeah, so there's, there's kind of three groups that I, that I see um in there. So anyone who's done a complex product before, a connected product or a robotic product or something with some, you know, some software in it, and they, they've kind of been through this pain. So they, they tend to earlier on, you know, still not as early as sometimes they should, but earlier on, they kind of have it on their radar. Steve: When you have, you know, surgeon founders or young engineers coming out of um college, you know, first time founders coming out of there, it's very rare that they really pick up on it until they get kind of, um, late stage with a regulatory consultant who says, by the way, what have we done for cybersecurity? And that can often be, you know, in, in some cases I've seen it very close to when they're making submissions. And that's where I've often seen for a lot of these startups that the wheels start coming off because it's not just, and we, we've talked about this before and and again, you know, Trevor might want to jump in on this. I think people think you can just bolt cybersecurity on kind of at the end and get over the uh regulatory hurdles. And my experience has been when it's a, when it's a late add-on to the company, it never ends well. It, it either derails the product, makes the product really, really, you know, um a long time to get through regulatory because you've got to keep sort of like bootstrapping stuff together to get it through, or sometimes it's a complete redesign. Trevor: What I try to look at with that lens and what I try to tell people when they say, when should we consider cybersecurity? It's at the requirements phase. So you have an idea, you say we want to create this device. What does the device need to do? They're going to build out those functional requirements. For every single functional requirement, they need to have the non-functional requirements on what's happening in the back and cybersecurity needs to be part of that. Trevor: Like you said, a lot of manufacturers will just try to bolt it on at the last minute and it never works out. It's always clunky, it often requires a redesign. It's far more expensive than planning it out and doing it right the first time. So ultimately it does come down to like you said a matter of experience. A lot of manufacturers, this isn't their first time doing a device. They know what to expect and so they try to build in cybersecurity. Trevor: A lot of times it'll be sort of a bootstrap startup and they don't know what they're getting into. They create a product, it works great. And then it's just a security nightmare for them to manage. So that is the ideal point, getting in as early as possible from my lens. And if it's not possible to get in that early and try to get security built in, oftentimes then it's a matter of how creative the solutions can become. Christian: Yeah, and like Steve was mentioning, if your burn rate is a million a month, that's $2 million you're behind schedule, plus you're not selling the product because it's not in the market either. Trevor: Exactly. So you're losing money on so many different fronts there. Another area is just how smooth the process can be. We've done it in the past where a company will come to us and say, 'hey, we need to submit in 30 days, we haven't even considered the word cybersecurity'. It's a frustrating, stressful process, all hands on deck. The client has a lot of things to work through. We have to work overtime to make sure that everything's getting done, and it can happen, but it's never a good time for anyone. And it doesn't need to always be that stressful. Trevor: The ideal situation is if someone comes to us early on and says, how can we incorporate security into our device? This is what we want our device to do. What do we need to consider? We can help them spot out the common pitfalls early on. So then once they have a device, they're ready for their required penetration testing, and it's smooth. They come back with two or three quick findings. Trevor: So, there are a whole bunch of different areas that can just be streamlined by this whole process without needing this constant back and forth and burning a whole bunch of extra money by pushing it into the last possible minute. Christian: So I always talk about with some of the startups and the founders about design decisions and how a decision even a year and a half ago, when you get to clearance, trying to get through the FDA or MDR can really have an impact from a cybersecurity perspective. Can you maybe speak to design decisions a little bit, Trevor? Trevor: There are a lot of things. Christian: Maybe an example. Trevor: Yeah, a great example is secure boot, secure boot. So secure boot essentially anytime you're starting up a device, make sure that nothing on the inside has been modified or tampered with. This is to prevent someone from going in and putting on some malicious software onto a device or replacing an application without it getting checked. Trevor: That is, you need to build a device with secure boot in mind. You can't just slap it on at the end, it's not a little box you tick. You have to build it with that consideration, start to finish. So, there will be times where a device will, someone will come to us with a device and I'll ask them, do you have secure boot enabled? They'll go, no, we don't. And we need to submit in a month. We can't redesign the entire product in a month. So then it becomes a lot more difficult to figure out how are we going to handle data integrity in this system where the features aren't built in. Trevor: So that's something that people should think about from that design perspective. There can also be a lot of just inherently insecure functionalities. Oftentimes we'll have a lot of back and forth with clients on, oh, well we want to have a connection to the internet. And that can be great for a lot of reasons. You can do remote monitoring, updates, maintenance, you can make any changes from the cloud. But that means bad guys can see it from the internet too. So there are a lot of considerations and oftentimes startups trying to get, you know, just a product cleared want to go down the path of an air-gapped device before they go down the path of bringing in that connectivity, which can often open up a whole can of worms for security considerations. Steve: Can I, can I can I ask a question there then? So you know, when, when we're building startups, you were obviously, you're always stuck for head count. Of course you're always stuck for head count, right? But there's also fractionals, you know, there's the possibility to have fractionals. Um, how many? I I've not seen many startups that have a cyber head, you know, somebody responsible for cybersecurity early on in the company. I think I you know, you don't see it until real later on. It's usually one of the IT team or it's one of the engineers, one of the software engineers gets sort of pinned and tagged with it. But are there, are there individuals out there that startups could go and employ? You know, if you've got a robot or something that you know is going to be connected with extreme connectivity and even tele-robotics, for example, do those people exist out there? Trevor: There are going to be two different people that you have to have to bridge that gap. So, it's not just a focus on the pure cybersecurity considerations. It's a focus on the regulatory considerations. You have to be able to meet all of the FDA requirements. You have to meet all of the requirements for risk management through ISO 14971 and TR 57. So it's not just a one simple solution. Oftentimes, it works to have someone who specializes in regulatory and knows the cybersecurity side at a high enough level, and then someone who specializes in cybersecurity and knows the regulatory side at a high enough level. Uh, I would say there are some people out there who can cover both areas, but definitely a little bit more of a unique case. So cybersecurity and regulatory are very connected industries, but they're so separate and so distinct with the execution, it often helps to have both involved. Christian: I think from our experience, we there's a gap. The gap is they try, most companies, and these this even includes like really massive companies with like 6,000 employees or over 6,000, they try to make their IT cybersecurity people, like their CISO, or people that know cybersecurity traditionally, in charge of product cybersecurity. And the the the lens is very different. A medical device has very different cybersecurity requirements than an enterprise, but most people don't realize that. So they say, 'oh, this is a cybersecurity person'. You know, everyone thinks if you're cybersecurity, you know everything cyber. So they put you in charge of the uh product. And that that typically doesn't work from our experience. So, a better approach, which you were alluding to as like consulting with experts, like we have a couple of companies who work right now that are they haven't even started coding the device. And they're working with us, so we can consult them about the requirements, those non-functional requirements that Trevor was talking about, so they can do it right from the beginning and make sure they have a more solid road map. And I think this also helps with invest, investors. If you're looking to get your device to market and get another round of investing, if you have a well thought out road map and you've considered cybersecurity, that's going to put you ahead of other people pitching the investor. Because I think investors now are realizing a lot of companies forgot about cybersecurity and their investments are being, you know, not looking as good as they thought they would because of the delays. Steve: It was funny you should say that. What so I am seeing and it's really in the last 18 months, 24 months that the due diligence packs never used to involve the cyber. They didn't, you know, it would have your commercial plan, your QA plan, your your road map through regulatory, your clinical plan. Now more and more I can see startups are being asked about, you know, what's your cyber plan? What's your cybersecurity plan? How are you going to make sure that you're a connected device? Because the investors have also understood that, yes, air gap devices are interesting, but it's not the exciting piece, you know, they, they want um, they sort of kind of all say that the data is the new gold, right? They, they kind of say that all the time. I'm not sure they quite understand what they mean by that and I don't understand quite who's going to make all this money off it, but if they've got that in their minds, they're going to also want to make sure that's protected both ways. They want to make sure there's no harm to patients done. You want to make sure you know, you know if this thing is connected to the internet somehow, people can't get into it or different ways and uh harm patients because that is a pretty short ride for a company um, if you get that kind of press early on. And then the second thing they want to do is they want to protect their data, you know, they, they are terrified of bad actors around the world, scooping up either um, data from the company is one side of it, but they're really concerned about all those insights coming off like from smart robots, for example, that all that data which is really valuable to get insights and to do, you know, a lot of training models for AI and stuff, um, they're very scared that people might siphon a lot of that off. So, yeah, I think that in investors are now getting wise to it. still not quite there yet. Um, maybe that's something you can do which is go and, you know, educate the investors of the right questions to ask in due diligence. Maybe that will get people earlier on because they'll be told in your use of proceeds, we want to see, you know, X thousand, X 100,000 put against Cyber. Um, but yeah, investors are definitely waking up to this and understanding in the new, the new generation of what myself and and Joe Mullings are calling more, you know, techmed rather than medtech. As we get into the techmed side of things a lot more, the investors are starting to understand that has to be protected. Christian: Yeah, that's a good angle. I think the investors need to be educated as well because they obviously want to return on their investment and they need to manage the risk. So cybersecurity, it's it's refreshing to hear you say it's becoming something that the investors look at from a criteria perspective. So, as we wrap up here, Steve, like, not to put you on the spot, but what would you say the top three things are? Like if I'm a medtech startup, like what, you know, you always allude to that medtech is harder than starting up in another industry. Like what are the top three things I should be concerned about? Steve: Yeah. So, um, the first and hardest thing for founders and they, they, they think it's all about the idea and they don't realize that if you're the founder or you're the CEO, you have one job in life, raise money. okay? And that is a continuous thing that... Christian: That doesn't sound as exciting as bringing my innovation to life though. Steve: It it doesn't. And unfortunately, if you got no money, you got no company, you got no business, you got no exit. So, um, the the first thing I is the big watch out is learn how to raise money properly. You know, make sure that you really know how to pitch properly, how to prepare your messaging properly, how to, things like data rooms. You know, people are notoriously bad at data rooms. They send Excel files around for diligence. It's quite, um, incredible. Steve: So that's one of the, one of the things they've got to learn. I think the second thing is as well is you got to look that the pyramid is upside down to how people think. They think it's all R&D and then you do the commercial on top of that. It's the opposite way around. R&D and the whole R&D of it is less than 10% of the actual venture. The majority of it and the hardest part of it is commercialization. There's thousands and thousands of single prototypes that sort of crawl across the line and become a minimum viable product. Very few of those, unless they're commercialized properly, ever actually become a success. And that's why again why the strategics are very good because they, they do know how to commercialize. Steve: But I think startups, the big watch out for them should be early on, they should know the end game of commercialization before they put a single screw into anything because a little bit like cyber, you know, bolting on at the end pricing, when, you know, you say, you know, we, we make this thing for $100, therefore we need to sell it for $200 and the customer says, well, we only have $50 to pay for it. There's a big disconnect because they've not understood the commercial endpoint before they get to building the screws. And again, a good R&D team if early on you say to them, your sandbox is this, you can't make this for more than 25 bucks. They'll tell you all the features they can't put into it, but you'll have a product that at least you can sell commercially. So that's another one of the big watch outs. And then the other one, um, is regulatory and it is, it is linked to the cyber a lot, um but it's the regulatory in general. people are massively over ambitious of when they think they're going to get something through the regulatory pathway. The regulatory has got harder and harder. You know, MDR has become notoriously bad and hard. Um, but any of that, if you get the right experts, you know, talking about the cyber again, if you, if you get your cyber sorted out, you don't have that three month extension. You get, you know, you your clinicals done in the right way, your lab practice done in the right way, your validation verification done in the right way, in the right formats that the regulatory bodies like, you know, don't try and reinvent the wheel again. Steve: Um, and again, using good regulatory experts who have done this before will give you much better timelines and costs of it. Christian: Yeah, awesome. Those are some good pearls of wisdom, Steve. I think starting with the end in mind is always important for anything. And I like your sandbox analogy. Tell them $25 all you have to make this uh product. So therefore we can sell and make a profit. I don't think a lot of people think of it through that lens. So, what's a good way for people to get a hold of you, Steve? Steve: Oh, okay. So the, the easiest way to get a hold of me, besides being on LinkedIn, you can find me as Steve Bell on LinkedIn. But, um, if they want to, if they're interested in startups and trying to get some knowledge on startups and also find a list of partners in there who can give them that kind of advice, then they can go to howtostartupinmedtech.com, which has got an H on the end. So medtech with an H on the end.com. And they can get all the information there and all my contact details are there, or reach out to me on LinkedIn. Christian: All right, awesome. Well, thanks for being a guest on our podcast. And uh, we appreciate you sharing some of your wisdom through the journey over your 35 years of wisdom basically. So people going to avoid paying that dumb tax. I only have like 30 years experience. Steve: Look guys, thank you very much and, and again, um, really enjoyed being on the podcast and the why it's exciting for me as well is because I don't get to talk about this stuff enough. I always get to talk about some of the other stuff on medtech, but I think this is kind of one of the hot topics in the minute, so it's a pleasure to talk about it. Christian: All right, awesome. Well, thanks again.