Episode 14 · April 29, 2025 · 26m listen · 3,232 words · ~16 min read

Early Cyber Strategies for MedTech Trailblazers | Ep. 18 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 14 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery from Blue Goat Cyber address a critical issue facing early-stage MedTech startups: the tendency to treat cybersecurity as an afterthought. They argue passionately that security considerations must be integrated into the product development lifecycle from the very beginning, rather than being hastily addressed just before regulatory submission. The central problem, they explain, is that many startups, driven by a "move fast and break things" culture and constrained by tight budgets, postpone cybersecurity planning. This delay often results in severe consequences, including significant project delays, budget overruns, and immense frustration. In the worst cases, it can lead to a product failing to get FDA approval or being abandoned altogether due to the prohibitive cost and complexity of retrofitting security controls. The hosts identify several root causes for this common oversight. One is a simple lack of awareness; founders may not realize that cybersecurity is a mandatory and rigorously scrutinized regulatory requirement until it's too late. Another is the financial pressure on startups, which often operate on shoestring budgets where every dollar is allocated to core product development, making security seem like an expensive and deferrable item. Espinosa and Slattery counter this by asserting that early investment in security is far more cost-effective. They share an anecdote about a potential client who had to abandon their product after years of development because the cost of fixing fundamental security design flaws, discovered at the last minute, was too high. This illustrates the critical impact of making poor hardware and software choices early on, such as selecting a microcontroller that doesn't support essential features like secure boot. To avoid these pitfalls, Espinosa and Slattery provide actionable advice for MedTech innovators. They champion the "security by design" principle, which involves making security a core requirement from the initial design phase. This includes developing a comprehensive threat model and carefully selecting both hardware and software components with security in mind. Founders are urged to thoroughly vet their development partners—whether in-house or outsourced—to ensure they have experience with MedTech standards like IEC 62304 and ISO 13485, and that they will produce the necessary documentation for a successful submission. The hosts also note that VCs and investors are becoming more savvy about these risks; having a clear cybersecurity plan can therefore be a significant advantage when seeking funding. Ultimately, they stress that cybersecurity is inextricably linked to patient safety, which is the FDA's paramount concern, making it a non-negotiable aspect of bringing a medical device to market.

Key takeaways from this episode

Cybersecurity in MedTech should be integrated from the very beginning of the product development lifecycle, not treated as a final-stage checklist item.
Delaying cybersecurity considerations leads to significant project delays, increased costs, and can risk the entire product launch if major re-engineering is required.
The "move fast and break things" startup culture is incompatible with the regulated MedTech industry, where skipping steps like security planning can be catastrophic.
Retrofitting security into a nearly finished product is far more expensive and complex than proactively implementing a "security by design" approach from the start.
Early-stage startups must carefully vet software development partners to confirm their experience with MedTech standards (e.g., IEC 62304) and secure development practices.
Cybersecurity is not just a software issue; hardware decisions, such as selecting secure microcontrollers, are equally critical and must be made early on.
Investors and VCs are increasingly aware of cybersecurity risks, making a well-defined security plan a crucial component of a startup's roadmap and funding pitch.
The FDA's primary concern is patient safety, and because security vulnerabilities can directly lead to patient harm, cybersecurity is considered an integral part of safety risk management.

Full episode transcript

Host: Hi, welcome back to the Med device Cyber podcast. Today we're talking about a very interesting topic. It's what early stage startups in the Medtech innovation space should consider from a cyber security perspective. Often cyber security is not considered to the very end or right before submission, when it should be considered the beginning because it causes a lot of delays, frustration, headache, maybe the product not even making it to market if it's if people wait to the very end. Host: So we're advocating people consider it the beginning and we're going to talk about why that's important today. I'm your host Christian Espinosa, I'm the founder of Blue Goat and I've got my co-host here Trevor. How you doing today Trevor? Guest: Not too bad. Getting ready to get to some warmer weather, but uh doing good. Host: Warmer weather where, where's that? In China? Guest: Warmer weather in China. It's not gonna be super warm there, but warmer than here. Host: All right, perfect. Awesome. So, what do you think our, I guess let's just kind of back up a little bit. What do you think the challenge is? Like how come people, like if I'm a founder, early stage Medtech innovator, how come I don't think about cyber security early on? Like is this just an awareness problem or it's just like, it's not something that's on the road map typically or what do you think the root issue is with this? Guest: I think there can be a ton of issues with it. Um, awareness is a big one. Oftentimes, you know, med tech companies don't even know that cybersecurity is really a req- a requirement until, until it's too late. Um, this is becoming better, I feel like awareness has started to increase. People are becoming more conscious of cybersecurity as a regulatory requirement, especially after the latest guidance in September of 2023. There's been enough time for people to start catching up. It's been gosh, about a year and a half since then. Guest: So, the awareness is starting to grow. Um, it's when a company's starting a med tech startup, med tech startups are very expensive and they're prone to fail. They're often on shoestring budgets trying to, you know, build a pretty impressive product that costs millions in research and development. And so, having all of this money that you're getting in from VC funding or wherever it is, it's often immediately tied up the second it hits the account. And cybersecurity can be a little bit expensive, so manufacturers try to push it to the back burner and they forget about it all together, which is not the best way to go about it. It's more expensive at the end than if you do it at the beginning. Guest: Um, and then I think that if someone's not involved in the cybersecurity world, if they're involved in the med tech world or the startup world, they're excited to create a product and they're following that startup mindset of move fast and break things. Make a product, get it out there, get feedback, refine it. That's the Silicon Valley mindset. That's the startup mindset. That's what we see so many of these companies doing. Guest: And that can be a little bit of a crutch. I think it's great for innovation, for products, but you're missing important steps and then when it finally comes time to do your 510K submission, your RA consultant is making sure you have all your ducks in a row, all your boxes ticked, and they say, okay, where's your cybersecurity documentation? And then people go, oh no, we didn't do that. And that's when they have a problem because they've already moved too fast and they already have their product and they're gonna need to go back and rework it. Host: So what's the, and that's what we experience almost, people wait to the very last minute to consider cybersecurity, but what, what is a real ramification of that? What's the impact to the, the uh, Medtech innovator? Guest: So the big thing is time to market is going to get cut pretty heavily. If you forget about cybersecurity and God forbid you try to submit without any cybersecurity, you're going to get rejected by the FDA immediately. and you're gonna enter a review cycle, you have a 180 day response window. and 180 days can be a little bit tight to do cyber security from the ground up and so you may lose your submission window all together. Guest: Now, if you include some cybersecurity, you try to cobble some stuff together, but it's not enough. You're still gonna have to go back and refine it, work on it and then get it back out. uh, what can really be a crutch is if a functionality or a way that you're implementing a feature gets rejected as insecure by the FDA. And this is something that we've seen especially in long development products, if a device is designed to do something in a certain way, then that functionality might be inherently insecure. The way that you're handling certificates, the way that you're connecting to EMR just inherently is bad design. Then the FDA is going to kick it back and they say you can't design a feature like this. You have to rework this. You're going to go back, you need to do more research, more development and another submission to the FDA. That's going to be A, your time to market gets slashed by even up to a year in a situation like that and that's a year you could have spent selling your device and B, you're going to have to spend a lot of money fixing that problem.

1 / 4