Cybersecurity Challenges & Trends in US MedTech with Paul-Lukas Hoffschmidt | Ep. 17

In this episode of The Med Device Cyber Podcast, host Christian Espinosa and co-host Trevor Slattery are joined by Paul-Lukas Hoffschmidt of Alpha Sophia. Paul's company provides a commercial intelligence platform designed to help medical device, digital health, and life sciences companies successfully launch their products in the complex US healthcare market. The platform assists these innovators in identifying and engaging with the most relevant healthcare providers, including physicians, practices, and hospitals, for their specific products, thereby optimizing their go-to-market strategy. The core of the conversation delves into the current trends and significant challenges facing MedTech startups as they navigate the path from product development to market adoption. The discussion highlights several key industry trends. A primary argument made by Paul is the growing dominance of the US healthcare market as the initial launchpad for MedTech startups, a trend fueled in part by slower and more complex regulatory processes in regions like Europe. This dynamic makes the US an attractive first market for both domestic and international innovators. Another significant shift is the evolution of medical devices from purely physical hardware to hybrid systems that incorporate software, cloud connectivity, and AI. This convergence of hardware and software underscores the increasing importance of robust cybersecurity measures from the earliest stages of product design. The podcast also explores the rise of emerging markets, particularly in the Middle East (UAE, Saudi Arabia, Qatar), which are not only investing heavily in healthcare but are also adopting US regulatory frameworks, presenting strategic expansion opportunities for companies established in the US market. Beyond trends, the episode addresses the substantial hurdles startups face. A major challenge discussed is the post-regulatory approval phase, where companies struggle to find and secure the attention of busy healthcare providers. Paul emphasizes that a simple sales approach is no longer effective; startups must develop a sophisticated, omnichannel strategy that involves content creation, conference participation, and multiple touchpoints to nurture potential customers. From a cybersecurity perspective, a common and costly mistake is treating security as an afterthought. Trevor points out that many startups scramble to address cybersecurity requirements just weeks before their FDA submission deadlines, which can lead to major redesigns and significant delays. The conversation also reveals that healthcare providers are becoming more discerning, conducting their own due diligence on device security and no longer relying solely on a regulatory stamp of approval. The overarching advice for innovators is to prepare for a long and resource-intensive journey and to integrate commercial, regulatory, and cybersecurity strategies from the very beginning of their venture.

Host: Hi, welcome back to another episode of the Med Device Cyber Podcast. I'm here with Paul, he's a guest, and we also have Trevor, who's our co-host. I'm Christian Espinosa, the founder of Blue Goat Cyber. And uh, we have a guest today, Paul. Uh, he is from Alpha Sophia. Paul, you want to tell us what Alpha Sophia does and how you fit into the MedTech space? Guest: Yeah, sure. Uh first of all, Christian and Trevor, uh thanks a lot for having me on the pod today. Uh it's great pleasure, um, spending the next minutes, the hour, chatting with you about the MedTech space, about cybersecurity, and how how how uh MedTech startups um best launched to market in that environment. So with Alpha Sophia, we've built what we call a commercial intelligence platform for the US healthcare market. Um so that means we've basically built a platform which helps medical device companies, but also digital health companies, and all other life sciences companies, basically anyone who tries to engage with um healthcare providers in the US to launch their products to market, find the right physicians, practices, hospitals, and so on to market to, uh for their specific products um and, and uh um uh use cases they are offering with their products. Host: Okay, awesome. Given like your experience with these startups trying to find the right audience, uh what trends are you seeing with, with in MedTech and people launching their new products? Guest: Yeah, I mean, there are a few trends. Like first of all, I think the US healthcare market is getting more and more important. I mean, it's always been the largest healthcare market in the world, but that trend is continuing to, to, uh, uh, to, uh, to go on, um, especially with regulatory processes in Europe, for example, being a bit slower at the moment, uh which leads to many MedTech startups, but also digital health startups and so on in, in the, in Europe to, to look to the US market first and first launch on the US market. Um, and then secondly, I think, um, uh, another big trend is that besides traditional MedTech, uh, with physical devices, um, the share of companies who either have a fully digital solution, yeah, maybe I don't know, also maybe an AI or a software-based solution, or companies who have a mixture of both where it's a physical device coupled, coupled with software and so on, is steadily increasing. And that probably also, that's probably also something you are seeing in your work when it comes to helping those companies make sure that from a cybersecurity perspective, every checkbox is are marked. I don't know whether you see a similar trend. Host: What do you think, Trevor? Do we see more devices that are a combination of hardware and software, or more that are just software now? Trevor: I think it's a pretty solid mix, but what's becoming more uncommon is just pure hardware. It seems like there's always going to be some digital component or a cloud component attached, whether it's only the cloud component or a combination of the two. Guest: I do agree. Host: And and so you're saying, Paul, that in the, the US you feel is one of the bigger markets. Uh, I know that Trevor and I have some discussions and I, I, I think the, the Middle East is going to become a bigger market and then maybe even China. What are, what are your thoughts on that? Guest: Yeah, and I, first of all, I mean, traditionally the US is at least 40% of the global healthcare market, and then probably from a value-capture perspective, it's even more because average margins in the US are higher compared to other places in the world. Host: We, we, we have the most health issues in the US too, probably. So that might be a contributing factor. Trevor: The most health problems and the most expensive healthcare. Host: Exactly. Guest: But, but that being said, you're totally right, especially like the Middle East is really ramping up. Um, I think a few weeks ago, uh Arab Health in Dubai was I think one of the largest, uh, uh, trade shows in the space, um, that was ever held. Um, and, um, you also see company, uh, country, uh, governments heavily investing into, into healthcare. And then, of course, I think what, what is quite favorable for those environments, especially the Middle East, is that they often adapt methodologies and, and regulatory pathways from the US, for example, I don't know. For example, the American Medical Association terminology is also being used widely in the, in the Middle East. Um, so it's quite easy, yeah, comparatively, for, for companies who are used to the US healthcare market to then also launch products, um, in, in, in the Middle East, for example. Host: Yeah, I, I saw a lot of, uh, posts about Arab Health. We missed that one. We'll be at MedTech World in Dubai in a couple of weeks, though. So, a little bit smaller event, but next year we'll be sure and hit Arab Health. I know Trevor has, uh, some connections in Saudi Arabia. We're trying to get into that market over there as well as UAE and, uh, Qatar. I think those are a few areas that are kind of like, it's like the race to see who can be the, the MedTech hub of the Middle East, I feel like, over there. Guest: What's your impression? Is it, are, are those countries predominantly, um, a healthcare market in terms of a buyer of medical devices or medical, medical software solutions, um, or are they also, is there also innovation from a manufacturing point of, uh, point happening in those countries? Host: Yeah, when I was in Dubai last, I, I did this tour where they had the, um, the sheik's vision of the future. And they are really trying to make a lot of innovations in healthcare. Uh, so I feel like they want to become the manufacturer as well as the buyer, kind of, kind of both, really. Yeah. What, uh, I know you primarily help the, the organizations get their product in the right hands and the right, uh, audience. But what, what is like some of the biggest hurdles these startups have? Uh, we know what the hurdles are from cybersecurity, but, you know, when they get the device cleared by the FDA or MDR, then what happens from your perspective? Like what are the hurdles that they, they, they have? Guest: Yeah, so we usually start engaging with our customers, um, usually one or two years before they reach final FDA approval at the earliest or when they already have launched products to market and want to further accelerate growth, um, or have an established product line on the market and want to open up further, uh, potential customer cohorts. Um, so we are from a, from a stage perspective, we are a bit later, or later than you usually engage with your customers, which is to my understanding, rather in the early R&D phase or, uh, late R&D phase where you help them with, with cybersecurity issues and making sure everything is in compliance. Um, I think the biggest issue for any manufacturer of, of medical products is still is how do you get, first of all, how do you find the right potential customers, the right physicians, practices, hospitals and so on to talk to, and then secondly, how do you get the attention of those busy doctors where, um, doctors are super busy. Um, you might get, I mean there's this traditional saying of maybe catching them at the operating room sink for a few minutes and then you have like two, three minutes to make your point, and that is getting harder and harder. So you need to be more creative when it comes to building what we call an omnichannel strategy of approaching or nurturing those potential customers over time to, to warm them up for your, for your, um, uh, for the products and services you're selling and then to eventually convert them into customers. Um, and the best thing to do is basically, um, don't, don't think there is a silver bullet out there, but you need to find first of all a really specific, right customer cohort for you so that you're not spending any resources on, on potential targets who will never convert because they can't use your product or are not a good fit, don't have the patients to treat with your product and so on. Uh, and then, secondly, also have, uh, find providers, um, who are actually open to new innovative solutions and are open to adopting them. Um, and then thirdly, um, it's not going to go in a way that you send out one cold, one cold email or do one cold call or do one sample drop at the, at the practice and then suddenly they convert into customers, but it's more like a, you need a 360 degree strategy where you do create content and, and, uh, reach out and nurture those potential customers with your content. You need to be on multiple platforms. So of course you, you need to go to conventions and maybe meet them in person, you need to, to eventually visit them also and show them your solution to build trust, but at the same time, also, uh, build up an audience for, for your company and the products you're selling, for example, on LinkedIn or other, other social media platforms to, to create multiple touch points with your potential, potential customers. Host: Yeah, it's interesting. You, you, so you start working with your clients, you said a couple of years, one or two years before they, their, their device is on the market. Guest: The earliest, yeah. Host: Yeah, with, with us, uh, they typically come to us, uh, manufacturers like, within like six weeks or eight weeks before they're trying to submit to the FDA or the MDR. It's like they kind of like totally forget about cybersecurity until the regulatory authority person says, "Hey, we got to submit all this cybersecurity documentation with our package." And then they, in a panic, reach out to us. So it's, uh, it causes a lot of costly delays for them because we typically find a lot of vulnerabilities. Uh, Trevor, on, on, on average, what, what, how, how quickly, or how soon do people come to us before the submission date, do you think? And then what kind of vulnerabilities do we typically find? Trevor: I think that, I mean, it's a pretty widespread, but unfortunately, it's, you know, usually towards the end, people will come to us even saying, we need to submit in three or four weeks and we completely forgot about cybersecurity. And it's just not feasible at that point. You know, there are often hundreds of pages of documents that you need to prepare, a lot of design changes you need to do, and we're pretty good at finding vulnerabilities in these devices. Especially now that everything has a cloud component, everything has software. Um, the cloud components especially, we find problems constantly. So, when we identify these, it can require some pretty sweeping design changes to maintain functionality while still building in security. And it's something where if they come to us, you know, six months before they're planning to submit, okay, great, they can change their course a little bit, but it's not going to, it's not going to cause anything too dangerous, any major delays. When they're coming to us in these final phases of the submission with a few weeks to go, and then they find vulnerabilities that are going to take a redesign of the product, then they're pushed back by two more months. So, ideally, people come to us as early as possible. Unfortunately, that's not usually what happens. Host: Of course. I am curious, uh, about both your perspectives on something because I've heard you talk about this before, Trevor, and, um, Paul, you'll probably have a perspective as well. Uh, when a buyer of one of these medical devices is making a purchasing decision, do they actually care about the cybersecurity of the device and like the cyber, the risk associated with the device and how it's going to interoperate, you know, be interoperable with their environment? Is that something that's factored into a purchasing decision? I'll let, I'll let you answer that one first, Paul, and then throw it over to Trevor. Guest: I think from a, from a security perspective, I think it has always two layers. There's always this, this hygiene layer of, of, of course, uh, physicians or potential buyers expecting that, um, that the device is secure. And, uh, of course, often they use, um, regulatory approval as a proxy for this. But then on top of that, they might ask questions. And if you are trying to sell to them, you better have good answers about that, um, in order to, to, um, convince them about, uh, the safety of your product because, I mean, in the end, those physicians are taking a personal risk using it on their patients. And they want to be 100% sure that the device is safe. Um, I think the second point you mentioned is getting, is really important, is getting more and more important, um, interoperability of those devices because, um, I mean, we all know that from our private life where when we have different devices and they don't work together, we probably stop using one of them at some point because it's just too cumbersome to, to start having them and they don't fit into our other ecosystem. Um, and the same is true for providers. So, they want to make sure that the product fits into their existing medical device environment or, yeah, a suite of products they are using for their, for their treatments. Host: What do you think, Trevor? Trevor: Yeah, I agree. I think that we're seeing a lot more awareness in buyers. Um, a lot of manufacturers are coming to us even with a device that's fielded under old guidance, that they don't technically have to do this testing for. And they say, we're getting a lot of customer requests for a penetration test, we need better labeling, how can we figure this out? Um, part of the reform that we've done internally with our process is not only gearing up manufacturers to be ready for the FDA, but getting manufacturers ready for their customers. So, the documentation requirements for the FDA for labeling is going to be the big one that applies here. Uh, they're certainly present, they're fairly comprehensive, but they're not as comprehensive often as what the customers are asking for. So, we've adapted our process a little bit to cover just about anything that anyone could think of. So, anytime a customer comes with any, it's like he said, you know, if a customer is coming with these questions, and they say, well, it's great that it's approved, but we still have these questions about cybersecurity, manufacturers need to have an answer. So, we're trying to gear them up with as many of these answers as we can before they're even cleared, so they're just ready to go as soon as they get to market. Host: What one thing I was thinking about when, uh, I think Paul you're talking, is from a liability perspective, if I am a healthcare provider and I purchase this medical device and I don't like scrutinize it for cybersecurity, and there's an issue with it, is, am I liable or is the manufacturer liable if, let's say it's a surgical robot that I just kind of ignore the cybersecurity about it and I purchase it, but then the device is compromised from a cybersecurity perspective and, you know, messes up the surgery and paralyzes somebody? In that scenario, like, who's actually liable? Guest: I mean, I'm not a lawyer to, to, and that probably also depends on the, on the, uh, on the jurisdiction, um, you're in. But in the end, I mean, every, every healthcare practitioner across the board also has also, always like a personal ethos where they want to make sure or need to make sure that they are treating their patients in the best possible way, and that, of course, always applies. So, um, as you mentioned, Trevor, the questions from customers can often be even much harder than what the regulatory body, uh, demands. Host: Yeah, I think as a, as a user of this device, I would want to make sure I do my due diligence, so I make a decision to, to purchase a device that's actually secure, that's not going to be compromised when I connect it to my ecosystem, uh, because, you know, as a surgeon, I would hate for the device to, to cause some error during the surgery and and cause some complication. So, I think that the due diligence from the buyer's perspective is probably increasing as that awareness increases. Or, or maybe it's not. I don't know. So a lot of people still don't understand cybersecurity. Guest: I mean, it also depends, yeah. In the end, there might be customers who don't ask for it, but in the end, as a manufacturer, you want to prepare for your, for the hardest questions that, uh, can approach you from, from your whole potential customer cohort, because once you are not able to answer them, um, that's going to, yeah, uh, circulate in the community. And especially like in small niche therapeutic markets, practitioners speak to each other, they meet at conferences and so on. If it's worded out, "Oh, that company couldn't answer my questions about is that device really safe, um, properly," uh, that's probably not good for your brand and the trust in your product. Host: Yeah, it's, that's a good point. I guess they talk to each other and, uh, cybersecurity is becoming a little more concerned these days, especially since a lot of devices have been recalled recently. So, so it sounds like people aren't just relying on the FDA or MDR's, like, their stamp of approval. They're actually doing more due diligence, uh, the buyers behind the scenes, which is, which is kind of new to me. I thought most people would just say, "Oh, the FDA approved it, it's good to go from a cybersecurity perspective." But it seems like from your experience and maybe some of what you said, Trevor, too, dealing with some of our clients, that the buyers are actually going deeper than the FDA or the MDR or, uh, PMDA, whatever the regulatory authority is. Trevor: I think that it's, it's a mix. A lot of, a lot of buyers are just not aware of cybersecurity. And ultimately, I just think it comes down to an awareness problem and an education problem. Um, often times, like a more established, a more developed hospital or a more developed clinic will be a little bit more concerned about things like this, or especially a clinic that's experienced a cybersecurity incident in the past. They're obviously going to be very, very concerned about it. It ties back into that, uh, interoperability area. I think one of the first big attacks that were not targeting healthcare infrastructure, but affecting healthcare infrastructure was WannaCry ransomware, which just tore through hospital networks, and it jumped into medical devices and then moved into workstations, and it would, it would lock up everything that it hit. And so it'd use these devices to move through the network. So, I think customers are getting a little bit more aware of events like that happening. They've heard about the Vegas hacks, they've heard about the, you know, United Healthcare hacks, they've heard about all these different things that have happened. And they don't want it to happen to them. They don't want to be the ones liable, they don't want to be the ones that, you know, get compromised and then they lose customer faith. And so, it's, is becoming a little bit more in the public eye and something that people are more aware of when they're trying to make a purchasing decision. Host: I think too, when there's an issue. Last time I went, I almost passed out. The, the, they drilled a filling in, uh, or, uh, a cap or whatever and it, it hurt so badly I almost passed out. So, I've avoided it since then. Trevor: Well, that's, that's a fair reason. Host: You know, I had this like, I don't think the Novocain worked or whatever, but, you know, it is what it is. Awesome. Well, we're, uh, coming up on time here. Um, what would you say for, uh, some last-minute words of wisdom, Paul, to a a MedTech innovator, uh, that that's, let's say it's a, an MD that has a brilliant idea and he's talking to an engineer, like a lot of the startups, and they're just getting started. What, what advice would you give to them? Guest: Yeah. I think the first thing that everyone should know, it's a long, long journey and you should prepare for that long journey. Um, and I think we, we can both agree, all agree, that it always makes sense to rather tackle potential problems in the future early, when it comes to regulatory or quality things like cybersecurity, or when it comes to the point where you want to launch to market. Um, and one theme that is going to be with you the whole time is that you're always in a resources or budget-constrained environment. So you should always try to get things right the first time, find the right people to talk to, don't waste, in our case, marketing and sales dollars on, on channels or cohorts that don't work, don't, uh, delay your cybersecurity, um, uh, work by too long so that you then have to do a catch-up which is probably more expensive than doing it the first time right and so on. So, prepare for a long road. Um, it's probably going to be a really rewarding one if you're able to, to succeed and bring your solution to market and ultimately help patients. But it's going to be a long and, and, um, long one. Um, and at the same time, I think it can be also a lot of fun, yeah, innovating in such a space where a lot of really passionate people work, where people really care, first and foremost, about making an impact for patients and, uh, I think that can be really rewarding. Host: When you, when you say a long road, like what, how long are you, are you typically seeing? I mean, it sounds a little bit scary, like, prepare for like this long journey. Guest: Like different things. It depends on the product. But I mean, it easily can take six years or longer, eight years until you are able to launch to market. I don't know what you're seeing, but it's, I mean, it varies by product class, but, uh, it can take many years until you're able to actually start selling your solution at some point. Host: Yeah, it's not success overnight. Trevor, what's, uh, your parting words of wisdom? Trevor: I think, uh, just in general, making sure that everyone's spreading awareness about cybersecurity. Customers are becoming more and more aware. I think at a faster rate than manufacturers. And so manufacturers need to catch up so that they're A) ready for the regulatory bodies, and then they're B) ready for their customers once the time comes. Host: Well, thanks so much, Paul, for being a guest on the Med Device Cyber Podcast and thanks for tuning in.