Data Protection in Medical Devices: A Deep Dive with Kevin Derr | Ep. 19

In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery are joined by Kevin Derr, a co-founder of Neuron Sphere. With over two decades of experience in data management, including more than 16 years specifically within the medical device industry at major companies like Stryker and Johnson & Johnson, Derr brings a wealth of expertise to the conversation. He explains the genesis of Neuron Sphere, which was born from the frustrating and inefficient process of building data platforms for medical devices. He describes spending years stringing together 15 to 25 different SaaS products to create a single, compliant data ecosystem. This experience led him and his co-founder, Brian Green, to productize the solution, creating a toolkit that enables medical device engineers to develop and deploy data-driven products and AI/ML algorithms quickly and securely. Derr outlines Neuron Sphere's unique approach, which straddles the line between traditional SaaS and on-premise software. Instead of hosting customer data, Neuron Sphere provides a platform that is deployed within the customer's own AWS cloud environment. This innovative model ensures that the medical device manufacturer retains complete ownership and control over their data throughout its lifecycle. Derr argues that this is a critical advantage from a cybersecurity and compliance perspective. By keeping the data within their own controlled and validated infrastructure, companies can drastically simplify their trust chain, reducing the number of Business Associate Agreements (BAAs) and mitigating risks associated with third-party data handling. This allows engineering teams to focus on innovation and product development without being slowed down by complex vendor management and security audits, enabling a compliant platform to be up and running in under two weeks. The discussion broadens to the overall state of cybersecurity in the MedTech industry. Derr and the hosts agree that while the industry is making progress, it moves slowly, like a 'big ship that turns slowly.' This inertia is often due to the primary focus on patient safety and effectiveness, which can sometimes overshadow security until the final stages of development. However, a significant turning point has been the new FDA guidance issued in late 2023, which mandates that cybersecurity be addressed much earlier in the New Product Development Process (NPDP). This is forcing companies, especially startups, to integrate security from the outset, rather than treating it as a last-minute checklist item before submission. The conversation also highlights the persistent cultural challenge where developers, often under tight deadlines and without formal training in secure coding, prioritize functionality and speed over robust security practices. The consensus is that while regulatory pressure is helping, a fundamental shift in development culture is still needed to truly advance the industry's security posture.

Christian: Hi, welcome to the Med Device Cyber Podcast. I'm your host, Christian Espinosa, along with our co-host, Trevor Slattery. And today we have a guest, Kevin Derr. Kevin is from Neuron Sphere. You want to tell us a little bit about what you do, Kevin, at Neuron Sphere, and maybe a little bit about your background in the MedTech industry? Kevin: Yeah, sure. Good morning, Christian and Trevor. Um, yeah, so I've spent uh, the last 20-some-odd years uh, working with data and in the last 16 or 17 years been completely focused in the medical device area. So I started at Stryker, uh moved on from there to to Auris Surgical Robotics, which got acquired by Johnson & Johnson. Um, and then we started Neuron Sphere. And when we started Neuron Sphere, we we decided or we were trying to give a toolkit to engineers working in the medical device industry, uh which they could use to develop data products, right? So I spent the previous 10 years stringing together 15, 20, 25 different SaaS companies and systems to make a data platform. Um and all of the challenges that come with that. And and then one of my architects, a gentleman named Brian Green, came to me one day and said, hey, I think I I figured out how to make this into a product and uh, and and not make it so specific to a company. Um and that's was born Neuron Sphere. And so in 2020, we broke out of J&J and we started Neuron Sphere. Um, and the idea is to to give a toolkit to engineers to to help them productize their data, develop new AI, ML algorithms for their medical devices, get them out to those medical devices, staying compliant with both cybersecurity and FDA regulations. Um, and that that's what neuron sphere is. It it's it's a tool kit. Um it it 's, it it bleeds the it it, it it not bleeds. It it, it, it, it straddles the line between SaaS and software. So we don't deploy like a typical SaaS solution. So, uh, that that is pretty unique to a neuron sphere deployment. You you maintain ownership of your data throughout the life cycle of your data platform with neuron sphere. Um, and that that does a number of things from the security perspective, right? It makes things like BAAs a little bit easier because it's one vendor out of the trust chain, right? Um, but uh, but yeah, so that's that's what neuron sphere is in its shortest uh description, is a tool kit for engineering teams to be able to make good data products, whether it's in R or it's in Python or it's in C++ like the language is not so much of a, of a concern to Neuron Sphere, because Neuron Sphere is about keeping your AWS infrastructure in a state of control, um, doing things like spinning up resources automatically when you need them. Um, but uh, but the idea is to enable engineers to be compliant without having to slow down. Uh, so a Neuron Sphere install takes less than two weeks. Um and uh, you can be up and running and exploring your data. So. Christian: Awesome. I think it's interesting, a lot of people that have kind of broken out and started their own organization in MedTech came from, you know, one of these larger companies like Medtronic or Stryker, like you mentioned, or J&J. Uh, Trevor, like from your perspective, uh we we we look at protecting the data. Uh, with something like neuron sphere, I'm not sure how familiar you are with it with it, Trevor. What do you see is some of the cybersecurity challenges uh with data and and kind of managing the data throughout the life cycle? Trevor: Well, the big one which Kevin already kind of touched up on is if you don't maintain ownership of that data, you don't have control of where it is. And if you're sending that into like a hosting provider or something, they might not have the same sort of controls that you would want to implement on your data protection. So, having that control over your own data is, I think a really important point to touch on and it's really good that you guys have a solution that makes sure that, you know, you're not just giving the data away to someone, they handle it a different way. Um, that's probably one of the bigger concerns that we see from our clients trying to get through the whole cybersecurity process is they're a little bit afraid of, oh, well, who's getting this information? You know, cybersecurity is a sensitive topic. We're giving you guys a lot of sensitive information to build out these packets. Where's it going? What is the FDA doing with it? What is that, you know, static testing tool you're doing? How is that taking our source code? So, data management, data protection, IP protection are at the front of everyone's mind, especially when they're coming up with a new product or working for a startup. So it's good to have some controls around that to protect it. Kevin: Yeah, it's interesting if I could if I could jump in there with a little bit of a story. Um, you know, all, all of my career, whether it was Stryker, uh J&J or or Auris, um one of the things that I struggled with as a purchaser, right? So as a director of whatever I was directing at the point, right? And even middleware back in the day when I was directing the middleware team, right? Um you you always have this conversation as a medical device company with with vendors that starts out great. They've got a solution, we've got a problem. You know, the solution gets fixed with their or the problem gets fixed with their solution. Um and then it comes time to do your 510K filing and quality gets involved with the conversation, right? Um and you start doing things like actually going through the rigorous level of testing that you have to do for V&V. And you figure out that the infrastructure that you're running at this said vendor is not compliant with, you know, 1345, what whatever, whatever the ISO rule is, 27001, right? Um and then you go to your vendor and you find out, oh, if you want those controls, you have to go to the medical grade version of this service, right? Uh, and then you wind up having to pay a premium. And that, that was a pattern that repeated for me everywhere I went. And one of the things that Brian and I tried to do with NeuroSphere was solve that. Our solution for that was to just give you ownership as a customer of NeuroSphere. You own it, you run it in your infrastructure. So if your 1345 compliant, or you're 27001 compliant, you keep your environment that compliant, you're good, right? And you have to do that as a manufacturer anyway. So, so it really does simplify that portion of uh, of running a data ecosystem, running a data platform. Christian: So, so you're saying that like it solves the challenge, like if I if I have HIPAA data and I put it in AWS, I there's the normal AWS which costs a certain amount, but there's also the the HIPAA compliant AWS which costs more, right? So you're you're saying it solves that challenge. Kevin: Yeah, I just don't like your uh, your analogy is AWS 'cause the the the, right? The the infrastructure provider is AWS, right? So they are the data center. Sure. Um, it would be more akin to like running some kind of distributed airflow environment, and your vendor who's running your airflow environment is, you know, not compliant. Well, here, you are, you you, you buy the software, right? When you buy a license from NeuroSphere, you're not just licensing a space in in HMD Labs or our company's cloud, right? No, you're buying an install of NeuroSphere that you're going to run in your AWS environment. So there's no BAA that needs to be signed with with NeuroSphere, right? Because your, your BAA is with AWS because they're housing your data. In my past life, I would have a BAA with every vendor that was in that chain, right? Um, and so that, that is, that's kind of what I'm talking about. More it, it's not so much uh solving something with AWS. AWS has a great solution for being HIPAA compliant. Their BAA program is very easy to understand, it's very easy to implement. Um but it removes one piece of that complexity, being us as the vendor providing the solution on top of AWS, right? Christian: So all the cybersecurity controls are up to the organization to implement uh versus Yes. uh I guess have them transferred over? Kevin: Yeah. So, we like, we like to say, NeuroSphere is architected uh, to be compliant. uh, which means that we, we created NeuroSphere with all of uh, ISO 27001, 13485, um, and uh, SOC 2 type two. All of those types of controls are architected into the NeuroSphere ecosystem. Um, and that way, we we try to make it as easy as possible for our customers to be compliant. But with, with taking ownership of your data with NeuroSphere and controlling your your own fate with your data, um it it also means that you you need to make sure that your compliance is held, right? So we can give you the tools, but our customers could still, you know, break the rules. so if you were, right? Trevor: So I think the whole issue is, you only need to make one mistake for someone to get in. You have to fix, you know, 200 different problems, and if you fix 199 problems, you think, oh, you know, that's almost perfect, but it's not perfect. If there's one problem, one little chink in the armor, you know, someone's going to find it. There are all these like web scrapers and tools just comin' over the internet 5 million times a day trying to look for those little tiny holes, those little misconfigurations in an S3 bucket. So, it's kind of the, you know, the good guys need to get lucky every time, the bad guys need to get lucky once. Christian: Yeah, exactly. I I was on a podcast yesterday and it's we're talking about uh standing up an an AWS instance. And I I've, I've stood 'em up before and within like 30 seconds, it's been scanned like a thousand times by somebody trying to break into it. Like it just came online, right? So I was trying to explain like, you know, what what the the landscape is really like. There's all these attacks going on, but we can't see them, but it would be like somebody like a hundred people running through the parking lot and checking every door to see if there's an unlocked car in the parking lot and trying to break in. You know, it's it's pretty crazy the amount of tax, tax on direct tax are just propagating insistently out there. Kevin: And I mean, it's it's been getting worse and I think it's only going to continue, right? So, the uh the tools on both sides of the attacking equation, right? The defenders and the attackers, the tools are just always getting better, and there's always more out there. Um, so, you know, we we take an approach with NeuroSphere that the standards exist for good reasons. There's been a lot of brain power and a lot of effort by a lot of people to get a lot of those standards in place. And so, making sure that your ISO 27,001, I know I keep referencing that, but it's a big one, right? Um making sure that those controls are in place and working is really all you can do, right? It it and it really does give you a good sense of protection, and the biggest thing is, if or when there is a breach, you have hopefully all of the reporting and all of the tools available to both stop the breach and recover from the breach, right? Um, and and that's all you can do in the security space. It's it's Christian: I I kind of feel like these standards like ISO 27001 and 27002, which I think defines the controls. Um, I think they're like the minimum. Uh, I think people think, this is all I should do is find some random standard out there and follow it. But compliance is like the bare minimum for my experience. I mean, Target was PCI DSS compliant when they had a hack. You know, all these organizations were compliant with the appropriate, um, body, like SOC 2 or whatever, they still been were compromised. So I think it's definite a good idea to follow a standard or a framework, but you have to go beyond that and think about your environment and how that applies to the environment and then what the gap is as well. Kevin: Wasn't that target attack also like a fringe system? Wasn't it an H-fac system that was compromised that let them onto the network? Christian: They did come in through the H-fac system, yeah, an H-fac vendor, yep. But I think their credit card uh, system was also vulnerable. It wasn't on an isolated network as my understanding. I don't know more about that one, I don't know. Trevor: Yeah, I think the whole issue is internet of things are always they're kind of in the back burner in anyone's mind for security. Um but it's really, those are super, super easy ways in. Um when I was doing a lot of internal penetration testing nine out of 10 times my first foothold in the network was through a misconfigured printer. And they left a default credential or something like that and then you get domain credentials out of the printer and then boom it's game over. Their entire network is toast. And so all of these internet-connected things, H-vax systems, credit card readers, thermostats, refrigerators, TVs, how do you know what that vendor is doing for cyber security? You know if you get some cheap TV off of Amazon, great you have a $90 flat screen TV but it connects to the internet and boom that's you know the bad guy's foothold in. So I think there needs to be more awareness around those friend systems, around these weird components that aren't necessarily just a computer or a server or something people always think of for traditional cyber security. You still need to apply it to these internet of things. Kevin: Yeah you know the other interesting aspect that we deal with in medical devices that we don't see elsewhere is, well I guess you might see it in aerospace or other big controlled systems. But, um, it is the idea that it's not just about your data security. It's about the impact of that data on the medical device and whether or not there is an impact to the safety and effectiveness of it, right? So we always have to remember that the the companies that are building the medical devices are weighing this equation of, you know, heightened security, adequate security versus not impacting or enhancing patient safety and effectiveness. Um, and sometimes in the data space, those things are very separate, right? Because your data has been sucked off to some other system and it's up in the cloud somewhere, or it's on this, uh, you know, service team server for being able to service the devices in the field. Um, but typically that data is not overly sensitive. It's, you know, telemetry, it's motors, you know, heat sensors and things like that. Um, but then you have, you know, mosaic data and the idea of, well, you you you can figure out the date and time of the procedure and you can figure out where the procedure was done, and God forbid, there's a doctor's name in that payload, and suddenly you've tripped the HIPAA, you know, the the the HIPAA threshold or the GDPR threshold, right? And so so so, there is that side of the security trust chain, which is just ensuring that the data is kept safe and secure. And then there's that whole other aspect, which is making sure that whatever you're doing with that data is not impacting the safety and effectiveness because sometimes the data trips a logic check and the device behaves differently based on that data, right? And that's, um, it's an attack vector that I think the FDA is most concerned about, right? The FDA is more concerned about whether or not the attack vectors are going to impact patient have an impact to patient safety and effectiveness, right? It's it's less about the HIPAA side of things. The HIPAA side of things is more just regulation. Christian: Yeah. I've I've been in the industry for quite some time. Uh I I have a I'd like to get your perspective, Kevin, on I know the FDA came came out and like really raised the bar with cyber security like in September of 2023. Uh, do do you feel like the industry is actually progressing in cyber security and data, you know, data protection, uh the MedTech, you know, industry is actually progressing? Oh, yeah. I Kevin: I've seen it. I I've seen it. I I mean, when I started at Stryker, like 15 16 years ago, um compared to what I saw Stryker doing when I left Stryker six years ago, seven, eight years ago, right? Like in the in the nine years that I was at Stryker, I saw them just invest a huge amount of time, people and money into this space. Um, now, that being said, prior to joining the medical device industry, I was in the travel industry. I worked for the Hertz Corporation for almost a decade where I helped them really digitize their entire business, right? So, when I started at at Hertz, our goal was to do a million dollars of sales a month on the website. When I left 9 and a half years later, we were doing like, you know, a couple of million dollars an hour, right? So it we went from, you know, a a fragment of the business to when I left the business, it was like 40% of the sales were coming through the website, right? Um, I learned more about being compliant with regulations then I ever thought I would have to deal with in a company like a car rental company. I thought who cares about a car rental company. And then you remember that presidents aren't always presidents, right? And before they're presidents, before they're really famous, they rent cars. And car rentals have things like your social security number, especially in the past, maybe not so much today, right? Um, credit card information, your home address, uh your driver's license number, if you travel internationally, it's got your passport information. They have really sensitive information about you. And they invest huge amounts of money in, you know, security and being compliant. Uh the first secure data center I was ever in was a travel industry data center back in like 1999, 2000, something like that. Um, and so, you know, coming, I learned HIPAA at hurts, right? I I learned I learned what the hippo rule set was and I made the hippo call center, or I made the the hurts call center hipaa compliant back in 2003 when the stuff was just getting rolled out, right? Um, so yeah, I definitely feel like the industry is making big strides. I just think that they're slow. Um, and I think that that is um, that is not a fault of anyone in the industry. I think that is a natural um, thing that happens when your primary, your primary concern is the patient safety, your testing, your rigor is all about ensuring that we're not going to kill the patient with our device, right? Um at least that's what you'd like to think. I I know that's the case in the big companies that I've been at. I'd like to think that every medical device company in the world has that mindset as as at its core. Um, so, are they improving in the security space? Absolutely. Is it taking longer than other industries? Absolutely. And I think that that is because of this history that we have of dealing with long submission timelines, right? 510k filings have always been, you know, 6 plus month endeavors, right? It's great to see some, you know, pointed examples over the last five years of people getting things through in 90 or 120 days, right? Um, but but there is a a culture in the industry of slow, steady progress and not killing our patients. Christian: I'm curious uh both both of your takes on something. As you were talking, Kevin. I I I agree, I think we're making slow progress. But I I think the fundamental issue if we roll back the curtain is most medical device manufacturers will outsource their product development to a team of software developers or they have a team in house. From my experience, and I'm just curious on both of your takes, software developers do not know how to develop secure code. And they were never taught to develop secure code. So it's like this, and until that changes, we're not going to get out of the cycle in my mind. Kevin: So, so I yeah, I I generally agree with a lot of what you just said. Um, I I do think that um, I think that most people who learned how to write code in school and in their first jobs were taught the right ways to to write code, which are um structured with good comments, nice and secure. Um, and then I think what happens is people get into their jobs, and their jobs have deadlines, and the deadline's become the important thing, and making sure that you don't miss that deadline is the important thing. And all of the other stuff that you learned in school about structuring your code and keeping it secure and making it well documented and all of those things, they become lower priority. And I think that for a long time we've operated uh, kind of in that guys and that has allowed um, that that is always going to allow for a bad actor to find a place to exploit you, right? Um, so I, I I do, I, I would never make the claim that doing it with NeuroSphere and you'll be secure, right? Like you were saying before, Trevor, I'll never say that it's completely secure. Um, but know that using tools like NeuroSphere, you can build systems that are compliant. Try to make sure that the systems that you're implementing are architected from a compliant posture. It's a really important thing. A lot of people think that those are like fluff words, but they're really not. If if the system is architected for compliance from the beginning, it will save you tremendous amounts of money to making it compliant for your submission time, right? So, um, Yeah, that's my final thought. Christian: Perfect. Well, thanks so much to everyone for tuning in and we'll see you uh next time.