Episode 6 · December 10, 2024 · 35m listen · 492 words · ~2 min read

Avoid the Dumb Tax: Cybersecurity Lessons for MedTech Startups with Steve Bell | Ep. 5 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 6 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

This episode of The Med Device Cyber Podcast features industry veteran Steve Bell, who shares invaluable insights for MedTech startups navigating the complex journey of bringing a medical device to market. Bell emphasizes that startups often face a steep "dumb tax" due to common, yet avoidable, mistakes. He highlights the critical importance of early cybersecurity integration, stressing that bolting it on late in the development cycle leads to costly redesigns and significant delays in regulatory approval. The discussion covers the distinction between functional and non-functional requirements, with cybersecurity falling squarely into the latter, requiring proactive planning from the requirements phase. Bell and the host also delve into the financial realities of MedTech, underscoring the need for "big ideas" that promise substantial returns for investors, typically $100 million in revenue by year ten. The episode further explores the extended average exit time for MedTech startups (10-12 years) and the growing awareness among investors about cybersecurity as a crucial due diligence factor. This episode is essential listening for product security teams, regulatory leads, and engineers seeking to avoid common pitfalls and strategically plan for long-term success in the MedTech industry, particularly regarding FDA premarket considerations and risk management.

Key takeaways from this episode

MedTech startups must integrate cybersecurity from the requirements phase, not as a late add-on, to avoid costly redesigns and regulatory delays.
A startup's ability to raise money continuously is paramount, with the CEO's primary role being fundraising.
Successful MedTech commercialization requires planning the 'end game' before product development begins, rather than focusing solely on R&D.
Startups should seek education and mentorship from industry experts to avoid common mistakes and navigate complex regulatory pathways, including cybersecurity requirements.
Investors are increasingly scrutinizing cybersecurity plans during due diligence, making it a critical factor for securing funding.
Understanding the difference between functional (what a device does) and non-functional (how it maintains security, integrity, and privacy) requirements is crucial for comprehensive cybersecurity planning.
Planning for potential risks and building in security controls like secure boot from the start is more cost-effective and efficient than remediation later.
Most medical device startups fail, often due to an inability to reach profitability and secure ongoing funding; strong cybersecurity and regulatory planning aid long-term viability.

Topics covered in this transcript

FDA Premarket Cybersecurity

Full episode transcript

Welcome to The Med Device Cyber Podcast. Today, we have a guest, Steve. Steve's been in the industry quite a while and he brings some valuable insights to help startups through their journey to get their device to market. Do you want to introduce yourself a little bit, Steve? Yeah, sure. Firstly, thank you for having me on. It's a real pleasure to be here. Yes, my name is Steve Bell, and for those that don't know me, you'll know I wear purple if you ever see me on LinkedIn. That's how you can find me.> I've been in Med device for just over 35 years. I started my career at Johnson & Johnson, doing sixteen years there. I did the whole transition from open surgery to laparoscopic, so I have a lot of fondness for that whole minimally invasive side of things. Then I did a cardiovascular division within J&J and a women's health division. I was actually part of the team that was looking at Intuitive back in the very early days, when they were just getting going. I then left J&J and I did the California startup thing. I used to commute between Rome and Los Angeles every two weeks. I did that for almost 10 years, which was interesting. It got to be exhausting. Yeah, it was. You kind of get used to it, though. You get into the rut. The 405 was actually worse going down from Los Angeles to Irvine than the transatlantic, which was quite bonkers, really. It took me longer sometimes to get down the 405. I did multiple hardcore startups, where literally me and like Brad Sharp started some of the industry companies that we did in a cupboard, in a small cupboard. Literally, one of the startups called Intra that we did there. I did that for a long time, did a couple of turnaround companies, and then I sort of retired. You know, I crashed and burned a few startups quite spectacularly, which is where you get the most learning. But I did well in a few, flipped a few. Then I was contacted by a really good guy called Martin Frost, who was the CEO of CMR Surgical, which is a soft tissue surgical robotic company. Martin twisted my arm, and I went there for six months to basically go and set up a commercial team and ended up being there six years. Then I said, 'Okay, I think that's long enough now.' Last September, I stepped out, and since then, I'm sort of semi-retired but trying to help the industry—you know, surgeons, young entrepreneurs, startup engineers—to really try and learn all the mistakes that I've made and a lot of my friends make in startups so they don't make the same mistakes. So, I'm doing a lot of that, really, at the minute, trying to help startups to start up the right way. Yeah, awesome. I call that the