Early Cyber Strategies for MedTech Trailblazers | Ep. 18

In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery from Blue Goat Cyber address a critical issue facing early-stage MedTech startups: the tendency to treat cybersecurity as an afterthought. They argue passionately that security considerations must be integrated into the product development lifecycle from the very beginning, rather than being hastily addressed just before regulatory submission. The central problem, they explain, is that many startups, driven by a "move fast and break things" culture and constrained by tight budgets, postpone cybersecurity planning. This delay often results in severe consequences, including significant project delays, budget overruns, and immense frustration. In the worst cases, it can lead to a product failing to get FDA approval or being abandoned altogether due to the prohibitive cost and complexity of retrofitting security controls. The hosts identify several root causes for this common oversight. One is a simple lack of awareness; founders may not realize that cybersecurity is a mandatory and rigorously scrutinized regulatory requirement until it's too late. Another is the financial pressure on startups, which often operate on shoestring budgets where every dollar is allocated to core product development, making security seem like an expensive and deferrable item. Espinosa and Slattery counter this by asserting that early investment in security is far more cost-effective. They share an anecdote about a potential client who had to abandon their product after years of development because the cost of fixing fundamental security design flaws, discovered at the last minute, was too high. This illustrates the critical impact of making poor hardware and software choices early on, such as selecting a microcontroller that doesn't support essential features like secure boot. To avoid these pitfalls, Espinosa and Slattery provide actionable advice for MedTech innovators. They champion the "security by design" principle, which involves making security a core requirement from the initial design phase. This includes developing a comprehensive threat model and carefully selecting both hardware and software components with security in mind. Founders are urged to thoroughly vet their development partners—whether in-house or outsourced—to ensure they have experience with MedTech standards like IEC 62304 and ISO 13485, and that they will produce the necessary documentation for a successful submission. The hosts also note that VCs and investors are becoming more savvy about these risks; having a clear cybersecurity plan can therefore be a significant advantage when seeking funding. Ultimately, they stress that cybersecurity is inextricably linked to patient safety, which is the FDA's paramount concern, making it a non-negotiable aspect of bringing a medical device to market.

Host: Hi, welcome back to the Med device Cyber podcast. Today we're talking about a very interesting topic. It's what early stage startups in the Medtech innovation space should consider from a cyber security perspective. Often cyber security is not considered to the very end or right before submission, when it should be considered the beginning because it causes a lot of delays, frustration, headache, maybe the product not even making it to market if it's if people wait to the very end. Host: So we're advocating people consider it the beginning and we're going to talk about why that's important today. I'm your host Christian Espinosa, I'm the founder of Blue Goat and I've got my co-host here Trevor. How you doing today Trevor? Guest: Not too bad. Getting ready to get to some warmer weather, but uh doing good. Host: Warmer weather where, where's that? In China? Guest: Warmer weather in China. It's not gonna be super warm there, but warmer than here. Host: All right, perfect. Awesome. So, what do you think our, I guess let's just kind of back up a little bit. What do you think the challenge is? Like how come people, like if I'm a founder, early stage Medtech innovator, how come I don't think about cyber security early on? Like is this just an awareness problem or it's just like, it's not something that's on the road map typically or what do you think the root issue is with this? Guest: I think there can be a ton of issues with it. Um, awareness is a big one. Oftentimes, you know, med tech companies don't even know that cybersecurity is really a req- a requirement until, until it's too late. Um, this is becoming better, I feel like awareness has started to increase. People are becoming more conscious of cybersecurity as a regulatory requirement, especially after the latest guidance in September of 2023. There's been enough time for people to start catching up. It's been gosh, about a year and a half since then. Guest: So, the awareness is starting to grow. Um, it's when a company's starting a med tech startup, med tech startups are very expensive and they're prone to fail. They're often on shoestring budgets trying to, you know, build a pretty impressive product that costs millions in research and development. And so, having all of this money that you're getting in from VC funding or wherever it is, it's often immediately tied up the second it hits the account. And cybersecurity can be a little bit expensive, so manufacturers try to push it to the back burner and they forget about it all together, which is not the best way to go about it. It's more expensive at the end than if you do it at the beginning. Guest: Um, and then I think that if someone's not involved in the cybersecurity world, if they're involved in the med tech world or the startup world, they're excited to create a product and they're following that startup mindset of move fast and break things. Make a product, get it out there, get feedback, refine it. That's the Silicon Valley mindset. That's the startup mindset. That's what we see so many of these companies doing. Guest: And that can be a little bit of a crutch. I think it's great for innovation, for products, but you're missing important steps and then when it finally comes time to do your 510K submission, your RA consultant is making sure you have all your ducks in a row, all your boxes ticked, and they say, okay, where's your cybersecurity documentation? And then people go, oh no, we didn't do that. And that's when they have a problem because they've already moved too fast and they already have their product and they're gonna need to go back and rework it. Host: So what's the, and that's what we experience almost, people wait to the very last minute to consider cybersecurity, but what, what is a real ramification of that? What's the impact to the, the uh, Medtech innovator? Guest: So the big thing is time to market is going to get cut pretty heavily. If you forget about cybersecurity and God forbid you try to submit without any cybersecurity, you're going to get rejected by the FDA immediately. and you're gonna enter a review cycle, you have a 180 day response window. and 180 days can be a little bit tight to do cyber security from the ground up and so you may lose your submission window all together. Guest: Now, if you include some cybersecurity, you try to cobble some stuff together, but it's not enough. You're still gonna have to go back and refine it, work on it and then get it back out. uh, what can really be a crutch is if a functionality or a way that you're implementing a feature gets rejected as insecure by the FDA. And this is something that we've seen especially in long development products, if a device is designed to do something in a certain way, then that functionality might be inherently insecure. The way that you're handling certificates, the way that you're connecting to EMR just inherently is bad design. Then the FDA is going to kick it back and they say you can't design a feature like this. You have to rework this. You're going to go back, you need to do more research, more development and another submission to the FDA. That's going to be A, your time to market gets slashed by even up to a year in a situation like that and that's a year you could have spent selling your device and B, you're going to have to spend a lot of money fixing that problem. Host: Yeah, you bring up some, some good points and I I we had one client, um, actually they did not become a client. Uh they were a prospect. They developed their product and they totally forgot about cybersecurity until the very end and then they came to us and we gave them a quote, uh which was reasonable I thought, uh and they looked at our quote, they assumed that we were gonna find stuff and they'd assumed how much it would cost for the developers to fix it and they basically said, you know what, we can't afford any of this, we don't have any more funding and they abandoned this product which, you know, I I can, I can imagine how difficult it is if you've been developing something for like three to five years or even longer, and all of a sudden you forgot about something that ends up costing so much you have to abandon it, the project altogether. I mean it's got to be a very frustrating scenario, but that that's what they ended up doing. Guest: Yeah, and that can happen. Med tech startups are very prone to failure. It's a pretty volatile industry. It's a very expensive industry. Developing a product is extremely expensive. You can put together some software as a service product and then try to put it out on the internet. You might spend, you know, 10,000 bucks on just marketing that product if you can develop it yourself. There's no way to do that for a Medtech company. Guest: Development is gonna be expensive, regulatory is gonna be expensive. There are too many hoops to jump through, too many hurdles. And so there's no way to do this cheap. And so companies will run up on the very edge of their budget very often, and then as soon as there's an unexpected expense, it pushes them over, and then they're in trouble. Host: So, so how would a found of you know, a Medtech startup, if I'm a founder and I'm trying to get funding, like how do I even factor in how much it's going to cost for cybersecurity? Because we talked in a previous episode about software developers not understanding cybersecurity. And we talked about maybe having a secure software development pipeline. And you know, it's not just the cost of hiring a firm like us to evaluate the security. It's also the cost of fixing things which could be, you know, after the fact that we identify things or it could be proactively, which is going to cost more than just I guess traditional software development. if you do secure software development, it's going to cost more. So, so if I'm a founder, and I'm out there, you know, pitching to get investments, like how how do I even factor in like how much is going to cost for cyber a couple thoughts are yours? Guest: So, I think that there's the development, the documentation and the testing side. Those are the three main areas in my mind. The documentation and testing sides are more on the regulatory focus. The developments obviously on R&D focus. Um when developing a product, you want to start with cybersecurity so that you can build it into the product. You don't have to retrofit it. The FDA says security by design is the principle that developer should follow. You should bake security into your product instead of trying to bolt it on at the end. Guest: So, when you're trying to pick developers for your product, whether you do this in-house, whether you're outsourcing it to an NRE, whatever it is. You want to make sure that developers understand medical device development concept. So, looking for IEC 62304 or ISO 13485, the main standards that medical devices need to be built to, these products need to adhere to what the standard are saying. If you're finding a developer and they say, yep, I know these standards inside and out, I've developed medical devices before, I understand how to do this securely, that's a great sign. Guest: These developers are going to be more expensive. Getting it done by an NRE with all of these certifications, all this experience developing to these standards will cost a lot of money. There's no way to get around that. It's going to be a lot more than just finding some run of the mill developer, but it's going to be done the right way first time. Guest: The next side of things is you need someone to deal with your documentation, deal with your testing. Uh these are, these are the cheap parts of cybersecurity, honestly. Having getting your documentation developed, getting your testing done, it's a drop in the bucket compared to everything else that goes into a full 510K submission. But it's very important. And good developers are going to create good artifacts and good documentation. They might not know exactly the FDA level of documentation, but if they're creating enough information about their product, someone who does know the FDA documentation will be able to build it out quickly. Uh anything that's missing, they'll be able to figure it out and help work with the developers to get that put into place. So it's really gonna reduce the timeline, and even though these developers are more expensive, you're not gonna run into budget overruns later from delays. Host: So so what are the some of the uh because I agree with everything you said, and from our experience uh it validates it. But if if I'm a medtech innovator and it still is a challenging scenario to to just like when people evaluate using us versus a different cyber security vendor, if I am trying to choose which software development company to go with for my product, they're all going to have a good, you know, sales process probably. and you you look like some of the questions to ask, like what standards they follow? Do they have experience with Mettech? Um, is there anything else they should be like asking or when they do the evaluation of uh the software development team? Guest: I think on our last episode we were talking about how a penetration tester is only as good as the report that they write. And I think similar things can be said about developers and their documentation. So, when you're looking for a developer, if you're, especially if you're looking for outsourced development through an NRE, you need to ask what artifacts are you preparing to go along with the software? Are you going to create all the architecture diagrams that we need? Show us the requirement specifications, uh, you know, often times the manufacturers are going to have to help with those requirements specs, but there will be a lot of non-functional requirements. They're just not gonna think about. Guest: And so the non-functional requirements are things like cybersecurity. How are you building security in? So, understanding that the developers are just thinking about security at the beginning, they're building it into the product at the requirement phase, moving into the implementation, it's, there's no set, you need a B and C for documentation for a product, but just understanding that they're conscious of it, they are documenting what they're doing, they're documenting requirements, data flows, architecture, security controls, all that stuff just really reduces all the problems that are going to come up down the line. Host: So if I'm evaluating an NRE or a software development organization, I should be asking what kind of documents they produce, what their processes, what standards they follow that are specific to Medtech, and how they include security in their device. Guest: Yep, exactly. Host: Yeah, I think that would solve quite a few of the challenges because we've worked with a lot of companies um and some of the manufacturers that we've worked with have had adequate documentation. They actually have design documentation, they have data flow diagrams, but then others, they chose the software development firm that literally has almost zero documentation, I find it hard to develop code where you don't even have a requirement specification document, for instance. Guest: Right. Host: So, so, I guess it varies drastically but I wonder like the the company that did, the manufacturer that chose the software development company didn't have any documentation. I'm assuming those software developers which are really doing it ad hoc were not, were less expensive than the ones that had all the documentation and all the ducks in a row. Guest: Definitely. Yeah, software developers aren't always super expensive. You can get cheap development done, but it might not come with all the artifacts you need. You might not be able to understand the code flow, it might be hard to maintain, there might be problems in it. There are million things that can go wrong even with a good developer, or even with an expensive developer, I'd say. Guest: So, it's not there's so much that can happen. I think the real important thing is just making sure the developer is thinking of these problems. If you're a startup founder in the Medtech space, if you're not coming from a development or security background, you're probably not going to be thinking about this stuff and you're definitely not going to want to worry about this stuff personally. You want to find someone who knows this stuff and who can worry about this stuff. That's what your job is as the founder of this company. Guest: So, finding a developer who does who already knows how to do this stuff, you explain your requirements to them, you build out those functional requirements, what does it have to do? You explain that, then they tell you how it has to do it. They figure out all those little implementation details, they tell you what artifacts are going to prepare. You reference those artifacts to your regulatory consultant. Hey, is this good enough for the software requirements for the FDA? Great. Can this help us on the cyber security requirements? Okay, great. Well, we'll still need to develop A B and C, but we have X, Y and Z. So, these are the questions, this is the flow you kind of want to work through as you're breaking ground on that product. Host: So if I'm coming up with a budget on my road map, um I can reach out to numerous uh software development development organizations, get quotes uh and and evaluate which ones are secure, but then I also have to reach out to people like us to figure out, okay, once the software is developed, we need a third party to do all the pen testing, a third party to help with all the documentation and they can get a quote and put that on the road map. Guest: Yep, exactly. And even now that cyber security has become more front of the mind in the Medtech space, VC's and people trying to give out this funding want to see it as part of a road map and it should be something done early. So, if you come to the table with cyber security as part of your plan, it's going to look good when you're getting funding. And so it's not just, you know, waiting for that regulatory hurdle to get through it. How do you deal with the big bad wolf in the form of the FDA? Host: It was the big bad boogey man? Guest: It can help your chances when you're trying to pull in funding and you know, raise your seed round in addition to all that. Host: Yeah, because every RA I talked to says that was the hard thing to get through before cyber security became the hard thing to get. Host: And now cyber security is a the big bad Boogie man. Guest: Yeah. Host: It's it's becoming more and more common place where investors have gotten burned on their investments because the the the the people they invested in the company didn't think about cyber security until the very end when the RA said, what are you doing about cyber security? They're like, oh, we didn't know how to do it. And then it ends up costing them like another million dollars to get the software developers to fix all the holes that someone like us identifies and there's also the like you alluded to earlier, the delay to time to market uh and all those other things that happen that are just a lot of lost revenue really and it really reduces the ROI on an investor which, you know, obviously if if I'm an investor and I do invest things, I want to have a a higher ROI which is generally better for investing. Yeah, and it's hard to go back to the VC and say, hey, we forgot about something important. We need more money, you're not going to get a good response if you say that. And so trying to figure out how to stretch out the budget if you do miss something can be really challenging and it can be the killing blow for a lot of startups. Host: BBB, big bad Boogie man. All right, the triple B. Guest: Yeah, awesome. There you go. Host: Cool. Well, thanks everyone for tuning in. I hope you found value in this episode and we hope to see you on the next one.