Commercialize Your Medtech with Craig T Ingram | Ep. 15

Welcome back to The Med Device Cyber Podcast. Joined here by the Blue Goat CEO and co-host, Christian Espinosa. And we have a guest today, Craig. Craig, why don't you tell us a little bit about yourself? Sure. So, my name is Craig Ingram. People call me Craig T. I got that nickname a few years ago when I was able to speak at a business conference with Kiefer Sutherland and Kevin Costner. So, that's how they gave me this little nickname. It's kind of interesting, but I have 27 years in the medtech industry. I started my own medical distribution company when I was a sophomore in college, and then went to Johnson and Johnson, and then started my venture capital-supported career, back-to-back, multiple companies over the years. And recently, over the last year and a half, I have been doing medtech and healthcare technology consulting to companies to help prevent them, to be quite honest, from going broke. You know, the statistics are very, very high for startup and mid-stage, small-medium enterprise companies of shutting their doors, just because of low amounts of customer adoption. Unfortunately, because commercialization is more of an art than a science, and the deck of cards are stacked against companies when they form and try to commercialize their products and services they offer. Thanks for the intro. It seems like almost everybody has worked at one of the large organizations. The previous guests on our podcast have worked at Johnson and Johnson as well. So, it seems like everyone's coming from Stryker or Johnson and Johnson or something. Yeah. I mean, those are the large strategics, right? So, they're the ones that take a gamble on people that don't have a lot of experience to gain that experience. And without those large strategics that literally bring in billions and billions of dollars annually, very few companies would gamble on somebody fresh out of college or in college even. Yeah, what something you said in the intro is interesting to me because I would think from a business roadmap perspective, if I'm a startup, I'm getting investors, I would have thought about the customer adoption, or client adoption, of my product early on, right? Isn't that part of what investors look at? And isn't that something that should be thought of? Because I mean, if you don't understand your total addressable market and how it's going to be used and how you're going to get it to that market, then like you said, you have a pretty high degree of failure, right? Like, isn't that pretty typical though in an early startup's roadmap? They're going to tell you yes. But just like a car that's not running well, and a mechanic will look under the hood and start tinkering around with the engine, that's what my company does. We lift up the hood and inspect the engine of the company. And we find that nine out of ten companies do not have a commercialization roadmap or plan. They have a business plan. They may have a sales plan. They may have a marketing plan. But the sales plans and the marketing plans fit into an overall commercialization plan. And very few companies can literally pull one out that they've created and typed out and is in written format. And yes, that is what investors look at. But when people think of commercialization, they only think of marketing, meaning to let their total addressable market know the products and services they offer, and then selling. Which unfortunately, the vast majority of sales professionals and even the leadership sales professionals are showing and telling. They're not actually selling and using the psychology of selling to get the potential prospect or potential customer to rationalize why they should own the product or service that's being offered. Hmm. So, the psychology of selling. I've heard this before, people talk about, you know, the product and the features, but they don't really understand like how that solves the problem for the prospect and look at it through the prospect's lens. And there's some psychology behind that, obviously it's emotional intelligence. Oh, it's even beyond that, right? It's using emotional persuasion dialogue, or emotional persuasion messaging, in a way that attracts. What does that mean, emotional? Like we do social engineering in cybersecurity, which is sort of conning people using some of these techniques. I'm just curious, like emotional, I think you said emotional persuasion dialogue. Yeah. So emotional persuasion dialogue has to do with tonality, the words used, and the total framework of the sentence of the questions that are being asked, and the conversation that is being enacted with a prospect, right? Because they're not really a customer until they buy. And once they're a customer, then the goal of that company is to turn them into a client, right? Customers buy once, but clients buy over and over again. And so the biggest challenge with effective commercialization is multifaceted. Number one, there's ten components of commercialization. The vast majority of chief commercial officers don't know the ten components. They don't. I've asked them—I've asked hundreds and hundreds of chief commercial officers—which component of the ten commercialization do they struggle with the most? And the vast majority of the time, you can tell they're very uncomfortable answering that question because they're thinking it's just selling or marketing. But they don't think about regulatory. They don't think about product design, or production, or alliances and partnerships, right? They don't think of those different components. And when it comes to emotional persuasion dialogue, it's the messaging, it's the interaction with the customers, it's the interaction within the team. Being able to understand what is being communicated to our audience that would A) attract them, B) make them want to learn more, and C) pull the trigger, pay for that product or service that's being offered. Too many corporate and company leaders don't think that way. Without customer adoption of the products and services they offer, companies go broke. And the data from the SBA, the Small Business Administration, is only up to only 40% of companies are ever profitable. That's a problem. Out of that, there are 32.8 million small businesses in the United States. Now that includes every industry, every size of company, everything from a revenue standpoint. But what the SBA has defined as a small company, and also there's not an investment firm, there's not a private equity organization that disagrees with this, but according to the SBA, a small business is considered 500 employees or less, no matter what the revenue is. The revenue could be a trillion dollars a year, but if they have 500 employees or less, they're still considered a small business because it's not revenue-based, it's employee size-based. And so, out of 32.8 million companies in the United States in 2024, for example, that employs 99.2% of the US population. But here's the problem: 50 to 55% of companies literally shut their doors because of low customer adoption of the products and services they offer within five years. 72 to 77% of companies shut their doors before they get to blow out their ten candles for their tenth year anniversary. So the deck of cards are stacked against business success. And people say, "Well, Craig, business is more than just the financial success." No, it's not, because the business is not sustaining itself. It cannot serve the world in the products and services that these people need. So if a business is failing financially, it's always, always, always due to two things: low customer adoption of the products and services they offer, or mismanagement of expenses. That's what it boils down to. Speaking of expenses, so one of the things that Trevor always says, and I'm curious about your take as well, Craig, he always says that cybersecurity is a necessary evil because most organizations think that as an expense that it doesn't actually add any value. I'm curious what your take is, Craig, from your experience in the industry. Do most medtech manufacturers think of cybersecurity as a necessary evil or do they think, "Okay, this is a value-add, so my device is going to be maybe adopted more because it's proven secure over somebody else's in a healthcare delivery organization?" Well, number one, it's not evil. What's evil is there are people's hearts and minds and motives that want to hack and crack into other people's secure lockbox in their company, let's say, and do something malicious. Steal something that's not theirs. And so, number one, it's not evil. It's critical. And is it an expense? Yeah, but so is insurance, right? Are people willing to gamble without health insurance, vehicle insurance, homeowners insurance? Cybersecurity, relatively speaking, is an inexpensive insurance to prevent somebody from breaking into your company's data house and stealing something that's not theirs. But because we have evil people in business, where the word integrity is the latest buzzword but they don't follow it, they're willing to walk into someone's home and steal their stuff. So cybersecurity is your armed guard to take care of your data home. So no, I don't think it's evil at all. I think it's critical. It's unfortunate we even have to have it, but we have to have it. I wish people that we interacted with had the same view of things. It's often one of those things that's pushed to the back. And I like the analogy to insurance and it even can tie right into cybersecurity, like ransomware insurance. That's something that has popped up recently. A lot of companies are having to get that, be compliant with that. To get ransomware insurance, there are a lot of boxes you have to tick. The same way to get health insurance at a decent rate, you can't be a smoker, you can't have a heart condition, stuff like that. If you want to get ransomware insurance, you need to do penetration tests. You need to have cybersecurity compliance in your product. And it is unfortunate that it's something that's required. But, you know, like you said, there are a lot of bad guys out there taking a look at how can we try to steal anything we can. Christian and I were just talking about how when you stand up a product or an AWS instance or something out on the internet, within like an hour, you've already gotten scanned 5,000 times. And that's no exaggeration. It's literally about 5,000 times. And so people are doing anything they can to just grab onto anything that's left out there. If it's not nailed down, someone will take it. And so, sure, it's inconvenient. It's expensive. There's a lot that goes into it, but is it more expensive to pay for a penetration test or is it more expensive to get fined by violating HIPAA compliance, things like that? So, a lot of it's a balance, but, you know, obviously doing it right, it's the same as paying an insurance premium. You hope you never need it, but when you do need it, you're really happy that you got that penetration test, you have all those controls, you have your SOC 2, Type 2, whatever it is. Yeah. When we're dealing with people, you know, we deal with people that aren't perfect, and then we deal with people who choose to be malicious, right? There's a difference between accidental mistakes and intentional maliciousness. And I think from a standpoint of, you know, regulatory, for example, so regulatory is, or regulatory affairs is the third component of commercialization. And people go, "What do you mean?" Well, if you're in healthcare in any way, shape, or form, and you're going to be offering your product to a healthcare patient treatment entity like a hospital, surgery center, any long-term rehab facility, or even if it's somewhat potentially over the counter, you're dealing with regulatory processes and you have to be cleared or approved in order to offer that product or service to the marketplace. And from a regulatory affairs standpoint, cybersecurity fits right in to commercialization component number three, and that's regulatory, right? Because you want to be compliant because you mentioned HIPAA, right? Whether I agree with HIPAA or not, there are some real like, if I get cancer and somebody finds out I have cancer, who cares, you know? Like it doesn't, it's not going to cure my disease, right? Like I just, it doesn't matter to me who knows. What matters though is some of the intricate details like Social Security numbers and things like that that it's attached to, that people can be malicious with. So yes, it's cybersecurity in a digital-based age is 100% critical, especially in commercialization component number three, and that's regulatory affairs. You know, I think you bring up a really great point there. When I'm first meeting someone, if they ask, you know, "Hey, what do you do?" While of course what we're doing is cybersecurity, I typically default more to saying regulatory affairs, and the reason for that being is, you know, cybersecurity is, I guess, the action, and regulatory affairs is the actual goal. Nobody would come to get cybersecurity services. No one would come to get penetration testing on their devices, have all the documentation that they need if it wasn't required by the regulations. Well, I won't say nobody. There are some manufacturers out there and they're super proactive about cybersecurity. Even if they have a cleared device and they've already done their annual pen test, they go, "Yeah, we're just, you know, want to be sure." Stuff like that. And so I'm not saying it's an absolute rule. But it is all at the root of regulatory requirements. Penetration tests have to be done in a specific way. It has to be done this way for the FDA, has to be done this way for HIPAA. Has to be done this way for SOC 2. So everything goes to those regulations, you know, at the core. No. It's interesting, right? Because you think about, you think about cybersecurity and you were just talking about when people say, "Well, what do you guys do? Who's Blue Goat Cyber?" Right? If you guys hired me as somebody to work on your commercialization, right? I would say, "You know what we do? We prevent malicious activity and people from coming into your data house in your company. That's what we do. We are the Fort Knox for your data." Yeah. So, it's interesting because this is one of the conversations Trevor and I have quite a bit is, and we've talked about HIPAA data a little bit, but from the FDA lens and from our lens, it's like the data is almost secondary. The real thing we look at is like if I can hack into a medical device, what harm can I cause a patient? If it's a surgical robot, can I cause it to paralyze somebody? If it's an IVD system, can I cause it from a true positive diagnosis to a looks like a true negative for something like sepsis, and, you know, kill somebody? So, we look at it through that lens and it's like the data, you know, we have HIPAA and all that other stuff to protect the data supposedly, but the data is almost like secondary. I mean, it really is secondary to the patient harm. So, I always look at it through that lens. Yeah, that's a great lens to look through, right? Let's be honest, surgical robots are here to stay. Again, everybody can comment on, do they shorten recovery time? Do they give a patient a better outcome? There are valid points on both sides. But here's the truth: if a surgeon is at a console and they're doing surgery, and if somebody was able to hack in through the means necessary and take over the controls while the surgeon, and the surgeon is like fighting against the other person on the other line, let's be honest, trying to manipulate it. 100% that would cause harm. And so you're right, cybersecurity is not just about data, but it's about preventing malicious activity, whatever that activity may be. There may be 4,000 different types of activities. And that's why it's important, right? And so as a somebody who chooses to be a chief commercial officer, it is part of their job to make sure that cybersecurity is part of that commercialization strategy, working obviously with the IT department and everything, to make sure that there are safeguards in place. Because whether it's the EUMDR, which is like the version of the US FDA, or of the FDA here in the United States, for example, they're going to need to know that there's some type of Fort Knox security within that platform, whatever that platform may be. So, yeah, it goes right hand with with effective commercialization. Do you feel because you've been in the industry quite some time that medical device manufacturers, medtech innovators have gotten better at cybersecurity and some of these like regulatory affairs that tie to cybersecurity? I guess have they gotten better? Of course they have, right? Because it's part of the mandate that the regulatory bodies require, right? If there hasn't been or if there wouldn't have been a requirement, then it wouldn't be so forefront of people's mind, right? And so the goal is not to buy the cheapest, not to buy the most expensive, but to buy the program or work with the cybersecurity company that brings the best value for the buck, right? And so if somebody pays a dollar and they can get five things, and there's another company they pay a dollar and you get two things, well, they're going to have to really look at the difference and go, "Do I need those extra three things even though it's the same price? Will it add more complexity?" People get confused between the word easy and simple. But simplicity doesn't mean easiness, and easiness doesn't mean simplicity. And so the goal is what is going to bring the most simplistic yet most effective prevention of penetration possible into that medical device, into the clinical study process or data to mess with that clinical study. Maybe for that biopharma drug that needs to come out. Maybe it's a lab test, maybe it's a diagnostic tool, right? And that diagnostic tool is used live through the internet. So we have to prevent someone being able to take over or manipulate the data, or take over the controls like I was saying earlier in that medical device robotic situation. Yeah, you brought up a couple things I wanted to highlight and then I'm going to throw it over to Trevor. One is, and I agree. Basically, you alluded to the fact that the guidance has come out. There's a mandate that makes people have to consider cybersecurity because from my experience, nobody cares about cybersecurity unless there's a compliance driver, right? Or they've got a data breach. Compliance driver or not, they should care because if they get in trouble, meaning if their product ends up not working, well, the trouble is they're not going to get high rates of customer adoption. Trying to get high rates of customer adoption when everything's working perfectly is very, very difficult, right? So, they should actually have this top of mind immediately. And then the second thing is, you're talking about like if I choose a vendor and I get, you know, spend a dollar and get five things versus a dollar and get two things. This is the challenge we have selling to the industry is people don't know what they don't know. So it's a lot of consumer education through the process because people will often choose manufacturers will choose a traditional, I like to say traditional, cybersecurity company that doesn't specialize in medtech and doesn't understand the FDA or MDR. And then they do this testing and they get all these rejections when they submit their packet to the FDA because the cybersecurity company didn't do things appropriately, right? So, it's like we try to teach that awareness, but it's still like this major challenge because they think, "Oh, I spend a dollar, I get these five things," but they should spend the dollar and get two things from us because the two things from us actually matter versus the five things that don't matter. So, I'm just curious what your take is on that, Trevor, and then we'll throw it back over to Craig. Yeah, I think that we see it's hard to hit that balance point and, you know, the information on what you need to do is out there. The regulations that the FDA calls out that you need to follow are available. You can read what steps you need to go into a penetration test. But I don't think that all these manufacturers do it. They just want someone who already knows this stuff. They say, "Hey, we don't want to have to figure out how NIST special publication 800-15 guidelines work." That's a lot of reading and a lot of stuff about penetration testing that we don't want to do. Someone else should figure that out. And it kind of goes back to saying, you know, like that publication that is the golden standard for the FDA. But if you're looking at HIPAA compliance, you don't have to follow the same guidelines that you do for an FDA test. You have to do other things, but it is, you know, if you're paying for a penetration test, you might get, like you said, these five things. And you really need these three things. And so these two things are bloat. And then the three things that they are providing aren't done properly. And so we'll get clients who say, "Well, yeah, we got, you know, the cheapest pen test we could find. It was just standard run-of-the-mill testing firm trying to test our device and we got kicked back. What's going on?" They'll send us their deficiency notice from the FDA. I'll read it. And, you know, it says the same thing that it always says, which is you never accounted for patient harm. You never accounted for protected health information data loss. And then I think, inversely, going way too overboard, and I think this might be sort of like a reactionary response from clients who have received a rejection in the past, they'll say, "We want you to test everything on the device." And I go, "Great, we can do that." And then they say, "And then we want you to carve it apart. We want you to, you know, try fault injection onto every chip. We want you to try to break into the debug ports. I want you to dismantle everything, like every single piece." And I go, "Why? You don't need to do that. It's not a requirement. You don't have to shred this device apart." And they go, "Well, the FDA says you need to have a control in place for these things." And we go, "Yeah, the control in place is someone would need to, you know, take like a crowbar and smash the machine to get to these chips. And I think you'd notice if someone did that." So clients will, you know, manufacturers, they'll just swing back and forth into each direction. They're not sure where that middle ground is. And that's why we recommend you have to find someone who knows how to do a medical device FDA-centric penetration test. And then like we know the balance. We know how to get a device. We know what we have to test. We know what the documentation looks like because we've done it a thousand times. And so it's just a run-of-the-mill process at this point. But, you know, a lot of manufacturers will try to push this off to their internal cybersecurity team and they're like, "Oh yeah, we got through our ISO 27001. We know what