Episode 68 · May 6, 2025 · 45m listen · 3,972 words · ~20 min read

Data Protection in Medical Devices: A Deep Dive with Kevin Derr | Ep. 19 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 68 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery are joined by Kevin Derr, a co-founder of Neuron Sphere. With over two decades of experience in data management, including more than 16 years specifically within the medical device industry at major companies like Stryker and Johnson & Johnson, Derr brings a wealth of expertise to the conversation. He explains the genesis of Neuron Sphere, which was born from the frustrating and inefficient process of building data platforms for medical devices. He describes spending years stringing together 15 to 25 different SaaS products to create a single, compliant data ecosystem. This experience led him and his co-founder, Brian Green, to productize the solution, creating a toolkit that enables medical device engineers to develop and deploy data-driven products and AI/ML algorithms quickly and securely. Derr outlines Neuron Sphere's unique approach, which straddles the line between traditional SaaS and on-premise software. Instead of hosting customer data, Neuron Sphere provides a platform that is deployed within the customer's own AWS cloud environment. This innovative model ensures that the medical device manufacturer retains complete ownership and control over their data throughout its lifecycle. Derr argues that this is a critical advantage from a cybersecurity and compliance perspective. By keeping the data within their own controlled and validated infrastructure, companies can drastically simplify their trust chain, reducing the number of Business Associate Agreements (BAAs) and mitigating risks associated with third-party data handling. This allows engineering teams to focus on innovation and product development without being slowed down by complex vendor management and security audits, enabling a compliant platform to be up and running in under two weeks. The discussion broadens to the overall state of cybersecurity in the MedTech industry. Derr and the hosts agree that while the industry is making progress, it moves slowly, like a 'big ship that turns slowly.' This inertia is often due to the primary focus on patient safety and effectiveness, which can sometimes overshadow security until the final stages of development. However, a significant turning point has been the new FDA guidance issued in late 2023, which mandates that cybersecurity be addressed much earlier in the New Product Development Process (NPDP). This is forcing companies, especially startups, to integrate security from the outset, rather than treating it as a last-minute checklist item before submission. The conversation also highlights the persistent cultural challenge where developers, often under tight deadlines and without formal training in secure coding, prioritize functionality and speed over robust security practices. The consensus is that while regulatory pressure is helping, a fundamental shift in development culture is still needed to truly advance the industry's security posture.

Key takeaways from this episode

Neuron Sphere was created to solve the challenge of building compliant data platforms for medical devices, which often required integrating 15-25 different SaaS solutions.
The company provides a toolkit that enables engineers to quickly develop and deploy data products, AI, and ML algorithms for their medical devices.
Neuron Sphere's platform is deployed within the customer's own AWS environment, allowing the customer to maintain full ownership and control of their data.
This data ownership model simplifies compliance and security by keeping data within a controlled infrastructure and reducing the number of third-party vendors in the trust chain.
The MedTech industry is often slow to adopt new cybersecurity practices, traditionally prioritizing device functionality over security until late in the development cycle.
New FDA guidance is forcing a positive shift, compelling manufacturers to consider cybersecurity requirements much earlier in the product development process.
A common false assumption among engineers is that hospital networks are inherently secure, leading them to de-prioritize security in their device design.
Tight deadlines and a lack of formal training in secure coding are fundamental issues that contribute to cybersecurity being treated as an afterthought during development.

Full episode transcript

Christian: Hi, welcome to the Med Device Cyber Podcast. I'm your host, Christian Espinosa, along with our co-host, Trevor Slattery. And today we have a guest, Kevin Derr. Kevin is from Neuron Sphere. You want to tell us a little bit about what you do, Kevin, at Neuron Sphere, and maybe a little bit about your background in the MedTech industry? Kevin: Yeah, sure. Good morning, Christian and Trevor. Um, yeah, so I've spent uh, the last 20-some-odd years uh, working with data and in the last 16 or 17 years been completely focused in the medical device area. So I started at Stryker, uh moved on from there to to Auris Surgical Robotics, which got acquired by Johnson & Johnson. Um, and then we started Neuron Sphere. And when we started Neuron Sphere, we we decided or we were trying to give a toolkit to engineers working in the medical device industry, uh which they could use to develop data products, right? So I spent the previous 10 years stringing together 15, 20, 25 different SaaS companies and systems to make a data platform. Um and all of the challenges that come with that. And and then one of my architects, a gentleman named Brian Green, came to me one day and said, hey, I think I I figured out how to make this into a product and uh, and and not make it so specific to a company. Um and that's was born Neuron Sphere. And so in 2020, we broke out of J&J and we started Neuron Sphere. Um, and the idea is to to give a toolkit to engineers to to help them productize their data, develop new AI, ML algorithms for their medical devices, get them out to those medical devices, staying compliant with both cybersecurity and FDA regulations. Um, and that that's what neuron sphere is. It it's it's a tool kit. Um it it 's, it it bleeds the it it, it it not bleeds. It it, it, it, it straddles the line between SaaS and software. So we don't deploy like a typical SaaS solution. So, uh, that that is pretty unique to a neuron sphere deployment. You you maintain ownership of your data throughout the life cycle of your data platform with neuron sphere. Um, and that that does a number of things from the security perspective, right? It makes things like BAAs a little bit easier because it's one vendor out of the trust chain, right? Um, but uh, but yeah, so that's that's what neuron sphere is in its shortest uh description, is a tool kit for engineering teams to be able to make good data products, whether it's in R or it's in Python or it's in C++ like the language is not so much of a, of a concern to Neuron Sphere, because Neuron Sphere is about keeping your AWS infrastructure in a state of control, um, doing things like spinning up resources automatically when you need them. Um, but uh, but the idea is to enable engineers to be compliant without having to slow down. Uh, so a Neuron Sphere install takes less than two weeks. Um and uh, you can be up and running and exploring your data. So. Christian: Awesome. I think it's interesting, a lot of people that have kind of broken out and started their own organization in MedTech came from, you know, one of these larger companies like Medtronic or Stryker, like you mentioned, or J&J. Uh, Trevor, like from your perspective, uh we we we look at protecting the data. Uh, with something like neuron sphere, I'm not sure how familiar you are with it with it, Trevor. What do you see is some of the cybersecurity challenges uh with data and and kind of managing the data throughout the life cycle? Trevor: Well, the big one which Kevin already kind of touched up on is if you don't maintain ownership of that data, you don't have control of where it is. And if you're sending that into like a hosting provider or something, they might not have the same sort of controls that you would want to implement on your data protection. So, having that control over your own data is, I think a really important point to touch on and it's really good that you guys have a solution that makes sure that, you know, you're not just giving the data away to someone, they handle it a different way. Um, that's probably one of the bigger concerns that we see from our clients trying to get through the whole cybersecurity process is they're a little bit afraid of, oh, well, who's getting this information? You know, cybersecurity is a sensitive topic. We're giving you guys a lot of sensitive information to build out these packets. Where's it going? What is the FDA doing with it? What is that, you know, static testing tool you're doing? How is that taking our source code? So, data management, data protection, IP protection are at the front of everyone's mind, especially when they're coming up with a new product or working for a startup. So it's good to have some controls around that to protect it.

1 / 5