From Surgery to MedTech Startups: Dr. Dylan Attard’s Journey | Ep. 32

In this episode of the Med Device Cyber Podcast, host Christian Espinosa and co-host Trevor Slattery of Blue Goat Cyber are joined by special guest Dr. Dylan Attard, the founder of the global medical technology conference series, MedTech World. Dr. Attard, who joins the podcast from his home base in Malta, shares his compelling journey from being a practicing surgeon to becoming a prominent entrepreneur in the MedTech space. He explains that his motivation to start MedTech World stemmed from a desire to make a broader, global impact on healthcare, a goal he felt was limited by the one-on-one nature of clinical practice. Initially conceived as an annual conference to position Malta as a hub for medical technology, MedTech World has since expanded into a worldwide series of events connecting innovators, investors, and professionals across continents. The conversation delves into the major trends shaping the MedTech industry. Dr. Attard posits that the COVID-19 pandemic acted as a powerful catalyst, accelerating innovation and forcing governments and healthcare systems to recognize the urgent need for investment in technology and infrastructure. The discussion highlights the growth of robotics in surgery and other healthcare applications as a key trend aimed at improving efficiency and reducing the strain on the healthcare workforce. A significant portion of the episode is dedicated to exploring the future of MedTech on a global scale. Dr. Attard emphasizes the vast, untapped potential of emerging markets, particularly in the Middle East and Asia. He notes a strong appetite for investment and collaboration in these regions, which are eager to adopt cutting-edge healthcare solutions. This expansion is a central theme of MedTech World's mission, which seeks to build bridges and facilitate partnerships between different cultural and business ecosystems, from Dubai and Singapore to Europe and North America. The discussion then shifts to the critical, yet often neglected, topic of medical device cybersecurity. The hosts and guest agree that cybersecurity is frequently treated as an afterthought by startups, who are more focused on getting their product to market quickly. This reactive approach, characteristic of the 'move fast and break things' mindset, is fundamentally incompatible with the highly regulated and safety-critical medical device industry. Both Trevor Slattery and Dr. Attard stress that delaying cybersecurity considerations until late in the development process leads to significant regulatory hurdles, costly rework, investor frustration, and sometimes, the complete abandonment of promising projects. They argue that cybersecurity should be viewed not as a mere expense or a box to be checked, but as a core investment in the product's entire lifecycle. The conversation underscores that in an increasingly connected healthcare environment, securing medical devices from Day One is paramount to protecting patient data, ensuring patient safety, and achieving commercial success.

Christian: Hi, welcome back to another episode of the Med Device Cyber podcast. Today we have a a special guest. We have Dr. Dylan Attard. He is the founder of Medtech World. I think Medtech World's been going on for a couple years now and it's growing quite a bit and Blue Goat Cyber's attended a few of the Medtech World events and we have one coming up as well. And we I'm joined here by our guest, Trevor Slattery, our co-host. Sorry, not our guest but our co-host Trevor Slattery. Trevor, how's it going? I think you're coming to us from uh Cutter today. Is that right? You're still in Doha? Trevor: Yep, yeah, still in Doha. and I've heard uh a lot of back and forth while being here about if it's Qatar or Cutter. And I don't think anybody knows the answer. Christian: I think it's Cutter. That's how they say it on the airway in the airline. Trevor: Yeah, it's 110 degrees outside, so happy to be inside on this podcast. Christian: Not quite as hot as it is in Phoenix. I think it's about... it'll be about 110 today as well. I'm coming to... I'm coming to you from Phoenix and uh where are you today Dylan? Dylan: I'm actually um at home base in Malta. Christian: In Malta, okay, cool. So we have like kind of the whole globe covered. Dylan: Summer is just starting here actually. I'm up until yesterday there was a very nice breeze, um but today it's full on um heat so I'm guessing um June is gonna be hot. Christian: Cool. Well, I I know um, we'll be going to Malta later this year, so I'm excited. I've never been to Malta before, so I'm looking forward to it. Dylan: I'm sure you're going to enjoy it. Christian: Yeah, we just got got back from uh Monaco, so I'm a little bit jet-lagged but it's all good. Dylan: We're very similar I guess. Um Malta to Monaco, except there's no Formula One racing here. Um, other than the quality of life, um streets, history, um culture, I guess we are a little bit similar to Monaco. Christian: Awesome. Well, um as we get started here, you want to give us a little bit about your backstory. I know you were a practicing physician for a while and then what inspired you to leave that and start Medtech World? Dylan: Yep. Um, so I graduated as a medical doctor um around 10-11 years ago, out of um Malta's main uh university. I was doing surgery, always loved working as a as a physician, as a medical doctor. Um it always felt like kind of the natural path from primary school to secondary, um always wanting to be right in the middle of of some kind of action um and healthcare especially surgery seemed to to be the right fit. Um but then eventually, it always felt like um especially attending to one patient at a time, I've always felt restricted working in hospital um just working in one hospital, attending to one patient at a time. Always wanted to be able to not just purely travel but work on the international scale, on a global scale. Always loved events, was quite curious about venture funding back then. Um and I sort of got lucky in terms of the opportunity that it got handed to me to um start Medtech World, which back then, um five, six years ago it was meant to be um simply an annual conference promoting Malta as a potential hub for medtech and healthtech companies to set up on the island. Um and I mean I I I took a risk I guess. I still keep saying it's a break from surgery, but I guess five, six years in um it's a it's a permanent stop. Christian: Awesome. It's interesting we have in Blue Goat Cyber, we have a former cardiac surgeon. He heads up our sales team, Rick Turner. And we have a former nurse, uh Melissa, she's my wife, actually. And they both kind of said the same thing. Like Melissa it's one patient at a time, and with Rick, you know, one surgery at a time, but now they feel like we're helping more patients by helping bring these devices to market securely. Dylan: Yep, I mean I do miss surgery, especially now most of my friends and people I went I did medical school with have started to to be promoted to resident specialist, consultant, so towards the end of the spectrum where it gets more fun, because then you have a team working for you as opposed to doing most of the hard work at hospital alone. Um so I do miss it. um and I guess it's always a case of the grass being greener um on the other side. I mean I um it wasn't easy for me to take this this decision, especially being a first generation medical doctor within my family, so you could imagine me going to my parents who had devoted most of their life um towards funding me as much as they can for me to go to medical school, private lessons, get the best grades that I could, and then eventually, um hi, I'm gonna start doing Medtech World and I still remember the look on their faces was like, you're going to become an event organizer, how does that make sense and I'm like no there's a much bigger picture in it. And it's only now that she started to kind of get the whole point of what I've done. Uh she was with us um, and I believe you met her as well in Dubai last February. And that's the first time where she kind of understood the whole um reality of what I'm up to and the scale of it all. Um but it was never an easy choice. Christian: Yeah, I remember I I believe I met your mom in... In Dubai. Dylan: Yeah. Christian: Yep. Dylan: Yep, um yes. Christian: Well, you've been in the industry quite a while. Where do you see things going in terms of overall like trends and uh cyber security? Dylan: Um, I think most of the innovations we're currently enjoying, um at the moment we have the pandemic to thank for I guess. Um 'cause the pandemic, I feel that it made people realize how important investing into our healthcare ecosystems is across across the board, it made governments realize that they don't have any other choice but to invest in. Um we started seeing more public and private investments into the whole healthcare ecosystem. Um so at least there's some... some... some bright lining from from that. In terms of um where the industry might head to in the next couple of months of years, years I guess. I mean I had a recent webinar some some days ago, and we spoke about a lot on robotics in surgery. Um which is something I'm obviously quite passionate about because I've done surgery myself, and I think that's a trend, not just purely robotics and and surgery, but robotics across the whole board, as most of the newer and most innovative um companies and solutions are trying to elevate stress from our healthcare workforce and healthcare ecosystem as much as we can... as much as they can. um because most of the healthcare um ecosystems across the across the world and countries and governments are being faced with a lot of um healthcare professionals choosing alternative paths, very much like myself, your wife, your co-founder. Um and this is because of the increase in demand, um increase in populations, increase in um number of diagnosis being made much before than they used to. So there's much more demand than pressure on the healthcare ecosystems. Um and this getting giving... putting more pressure and demand on the on the healthcare ecosystems in general, I guess. Christian: And I know in Dubai, like a big topic there was the expansion of Medtech to to the Middle East and also Africa. Uh do you think that's like the next big area, like Saudi Arabia, Qatar uh and Africa for Medtech? Or do you think it's going to expand more in, you know, Asia? Just curious what your thoughts are. Dylan: I think it's uh, I mean, most of the regions you've mentioned um are quite unexploited in terms of the opportunities that that that lie there. Um and I think more companies, especially after they've dominated some of the western markets, Europe, and maybe they've been phased by a lot of um red flags or bureaucratic steps and most of these um areas are now looking to other areas in which there's there are much more open to investment um and there's much more opportunities. I am personally quite a huge fan of the Middle East in terms of the way they do business, the way they the way they're very open to um not just purely networking but collaborating with the rest of the world. Um Dubai showed it um many many years ago um and most of the time they were they were met with a lot of criticism that they won't achieve what they're doing. Now there are other other countries in the region um trying to to follow in Dubai's and UAE's steps, Saudi Arabia, Trevor is in Qatar, they're very much keen on obviously trying to to match their their fellow countries' um successes. So me personally, I'm quite a fan of um of the Middle East and and their potential to continue expanding Medtech and putting more money into Medtech which essentially will leave a very good liberal effects on the rest of the international market, um be it in Europe, be it in and and the West. Um in terms of Asia, we've we've done an event there in Singapore last year. Uh it was the first time I had been an Asian in all fairness and it was the first time that I've started to network, speak, and get to know the Asian ecosystem. Um, one of the misconceptions that I felt um especially um from fellow friends and colleagues of mine from the side of the of of the world, Europe and and the West um is that they think that Asia is big enough and sustainable on its own. And then when then I started speaking to companies in in Asia, not just in Singapore, Southwe... South... Southeast Asia and and the rest, I was always getting the feeling that they very much feel that they're constrained within within Asia and one of their biggest challenges is on how to move away from Asia. Um sometimes they're using Singapore as a stepping stone out of so 'cause once they set foot in in Singapore, then from there they can eventually move to to Europe, move to to the US, and and so on. That's I felt that this was quite a misconception that we always thought that Asia were very much on by themselves, sustainable, they don't need the rest of the of the industry, when in fact, I think it's uh it's the other way around. Christian: And I noticed uh your next Asian event is in Hong Kong, is that right? Dylan: Yep, we're still... when it comes to to Medtech, well um we haven't really found a home yet in in Asia and that's something that we're looking to to explore. We've done uh as you said, an event in in Singapore last year, we've enjoyed it, it was in September, a one day event, and we're looking to do it again this year. um in September again, but until then we're going to be exploring Hong Kong, which I think is quite an interesting hub, obviously, I mean, there's a lot of money there. Um, and there's a lot of um will for innovation across different industries, including Medtech, so we're quite excited to to explore it. Um we're going to be partnering partnering up with one of the um major investment conferences in the region, Novax. Um it's an... it's purely an investors conference and there's some of the biggest fund from Sequoia Capital to to to to the family offices in Asia joining, but it's not purely focused on on healthcare, which sometimes I even find more exciting because I do think that the healthcare industry can enjoy a lot of the cross-pollination um between between different industries. We've seen it with telemedicine. Um used to up until some years ago you used to see a lot of articles being written, you can order groceries online, but you can't get a prescription, or you you can't check your bank account, but not your electronic health care records. We got that more or less from trying to cross-pollinate between different industries. So we're looking forward to that. Um and in parallel with both Hong Kong and Shanghai, we're trying to explore South Korea. And as well as China. Um so hopefully we'll be able to nail down um some roadshow events there this year as well before obviously our main Medtech Malta conference in in November. Christian: All right. This is you're all over the globe, pretty busy. Dylan: I mean, we try to keep to our name, I guess, Medtech World. Christian: Pretty soon to be Medtech Universe like Dylan: Yeah, I guess um Jeff Bezos or Elon Musk are are trying to make it easier for us, I guess. So, we'll see how how they keep track. Trevor: Try to do the first Medtech convention on Mars. Dylan: I've always wanted to to to be the first at something so we'll we'll see. Christian: And I I know like cybersecurity, that's what we do. We do Medtech cybersecurity obviously. It seems like nobody talks about cybersecurity in Medtech until it's too late and it's a crisis and it delays their submission because they can't get approved by the regulatory authority. Do you feel um Dylan that cybersecurity is becoming more of a topic of interest, or people are still kind of lacking that awareness? Dylan: Um, when I first started Medtech World, I was always trying to come up with some original content, um, to try not obviously make the whole conference ecosystem a copy and paste. One of the panels that I that I had I had tried to to create, I think it was in my second year. A panel on cybersecurity. And I tried to literally scavenge LinkedIn trying to find cybersecurity companies who would be keen on participating. Um even if they were looking to simply join and speak on stage, and I could barely find any. Um, and I remember back then speaking to the rest of the team, I'm like, cybersecurity, how come like, how come we're finding it difficult? It's so much needed. Um, and I've over the past years way before I started Medtech here I was always obviously quite keen on technology. Um sometimes you're even seeing films of this government being hacked, this hospital being hacked. I had done one of my electives during medical school was in Germany in Düsseldorf. Um and I remember some months after I had done that elective seeing on the news that the same hospital I had been to was hacked and was literally not being able to function for a good amount of of time. And I remember like, it's because they didn't have their their cybersecurity like on point. Christian: For like a whole month, they were unable to function, you said? Dylan: No, for a couple of hours. Um actually it lasted nearly one to two day, it was a private hospital. um and I remember they had shifted most of their emergency stuff to to a fellow other hospital. Um, but they um were kept quite a distance and at the baggage of whoever was manipulating this and and their technologists. Um, my point is, I think especially over the past couple of one to one to two years, maybe, maybe three, anyways. Um, the industry has started to realize more the the importance of cybersecurity. Um, and I think we have our investors to thank for. I think especially when it comes to, um, obviously the Medtech industry and the Medtech investment scene is not where we wanted to be. Um, so companies are trying to make sure that they have everything in check. And the investors are trying obviously to um invest in as low risk companies as possible. And cybersecurity is often being flagged as one of the most um things that they should focus on, especially with the increasing um technologies, increasing in um incidences that are happening around around the world and and so on. The thing if I made that might work against I mean that might work against this is that hopefully, I guess, when some of these hacks and cybersecurity incidents that are happening are being notified to the public, because I do fear that sometimes there are some, as in some of the hospitals or healthcare systems, let's not blame anyone, will try to hide some of their inefficiencies purely for the sake of no bad promotion. Christian: I I agree with that. I think there's been quite a few incidents, but they were never really disclosed of. Dylan: Exactly, because obviously everyone will try to keep it as quiet as they can, and there's money involved, and security, they will try to clean away any of their messes and uh I mean it's human nature. Sometimes you're always, especially when you're when you don't have as many resources, as many money that you want, you're trying to prioritize what you're going to invest in, cybersecurity, if you're trying to stay afloat, if you're trying to make it until your next round, um cybersecurity is never going to be on the top of the list. Um which is hopefully, especially through conferences, not just like Medtech, but conferences, even conversations, conversations like these, we get our Medtech and healthtech startups to realize that they need to start preparing and investing into cybersecurity from day one, because if you're going to do it on day 30, to day 300, it might even cost you more, might not just in terms of resources, in terms of money, but even in terms of time, and it's going to backfire eventually. Um if you're lucky not to be um faced with an incident that you can't um actually um survive. Christian: What do you think, Trevor, as far as industry's progression here? Trevor: I think it's good that the regulators are trying to enforce that a little bit more, but it is ultimately the shared responsibility. Regulators need to be on top of the latest industry trends and trying to enforce that as far as what innovators are doing. Uh manufacturers, innovators need to be responsible for adhering to the trends, putting out safe devices, but hospitals often are going to be equally as responsible for ensuring that they have safe devices in their network. And what we're often seeing is that hospitals will have more strict purchasing requirements than even the FDA regulations as far as what they want to see on device certification. So it goes a lot deeper than just that initial step. There's cyber security to get through your first round, through the FDA so that you can start selling your product. There's more cyber security to actually sell the product. Um, and there are a lot of layers that I feel like many different innovators just don't really think of until it's too late. It comes down, the push comes to shove and then they're getting all their documents ready for their submission. They don't have anything for cyber security. They go to a Mayo clinic, they go to John Hopkins, they're trying to sell their product. And they kick them back and say we need all this cyber security documentation to prove that we're you're safe in our network. Um since, you know, it's like you said, there's a lot of money involved. There are a lot of problems. If these hospitals get compromised, they're going to be liable to a lot of, you know, fees, um their patients could possibly get harmed, may even die, they could be open to lawsuits because of it. There was recently a ransomware hack in the UK against a blood center for cancer treatments where they were out of commission for about 5 weeks, and they could deliver no treatments and many of their patients weren't able to get on the NHS waitlist to get treatments elsewhere. So, that was a recent case where they're saying that they were able to directly pin ransomware on murder in a hospital to multiple patients. So, of course, you know, having that liability... Christian: ...You said they pinned it to murder? So they were going to charge the people if they caught them that did the ransomware with murder actually? Trevor: They don't know who did the ransomware, but they're saying that they did effectively murder those patients. But, you know, the hospital's at liability as well for not having their security covered up and allowing that incident to happen. So, the innovators, if a Medtech innovator is putting out a device, the of course, you know, financial, legal repercussions for it, and even the reputational repercussions of knowing you have a device out there that is leading to these problems is massive. So I think it's very important, like you said, to have on day one, not on day 200. Dylan: Yep. And what's your feeling? I mean, you're obviously the ones um speaking to the Medtech companies and hospitals there. Has there been a positive shift over the couple over the last couple of months, years in terms of them being more proactive and wanting to invest more into cyber security, or are you still or are you still finding it a very different, a very difficult, finding it a very difficult job to convince them to invest in in cyber security? Trevor: It's a slow shift, but it's slowly getting there. I think it's too slow of a shift. We're seeing a few companies here and there get a little bit more savvy about it. Come to us in the idea phase, which is what we want to see. But still far too many are pushing it to the last minute. They have two weeks until their submission and they realize they didn't cover cyber security or they'll try to cobble something together at the last minute and submit, they get rejected, and then they panic. They're running out of investor money, they're running out of time, they have to make all these promises, ask for more money from their investors, and it's a really bad look. So, slowly we're getting there, but I don't think it's quick enough, and I think that awareness needs to spread a lot faster to prevent these problems from coming up. Dylan: Understood. Um, I'm not sure, I mean, I'm I'm from this side of the Atlantic I guess, and there's a lot of help by European Union, um non-dilutive funding, through governments. Um, some of which does cover the security aspect of medical device companies and any company that's dealing with health data. Um is there something similar in in the US which would help which would be able to help these um these companies? Trevor: Yeah, we have similar regulations in the US, but regulations in Europe are always a little bit more mature and they can evolve a lot faster than in America. Um, I think some of the... whole free market mentality of America can be a little bit dangerous as far as how fast innovation can go without any checks and balances in place. And we see it with AI, it runs rampant in America. You can do anything, you can use it however you want, there are no checks and balances in place that are effectively enforced, where those are enforced in Europe when it's going to be a very sensitive nature, something that is infrastructure-sensitive or potentially health-sensitive. Uh, so we have, you know, in Europe, you have GDPR for data privacy and in the US, we have HIPAA protection for health information. And then of course, you have the MDR, IVDR, any of these regulatory bodies that are controlling a medical device submission where we have the FDA. Um, but there are a lot of distinctions between the two, such as with legacy devices, so devices cleared before the latest cyber security guidance. The FDA doesn't really know how to wrangle these together and try to round them up and find a good solution where Europe is effectively saying you need to retrofit it onto the MDR guidelines before you get have it on the MDD, but now you need to update your technical file. So it's forcing these manufacturers to stay up to date with everything, and we don't really have that going on in the US, so it's a little bit of a more different problem. Dylan: Understood. I was going to ask you this question before, because I'm genuinely curious about the implications of AI and cyber security and all fairness. Um has it made things any better, any any easier, any difficult, and and more difficult? What's your take on that? Trevor: AI, in general cyber security, has made things so much better and made things so much worse. Um, it helps everyone. So it helps the good guys, it helps the bad guys. It introduces new risks that we didn't know we have before, and it solves problems that we did have before. And so it's a very mixed bag. I would say that the benefits provided outweigh the risks of AI. Um, not from a security perspective, I would actually argue the opposite, that the security risk for AI is pretty significant as opposed to a security benefit through AI. But what we do see is the increased functionality and ultimately cyber security needs to strike that balance with usability and functionality. The only way to have perfect cyber security is to take your device, put it in a box, and go bury it in the desert where no one can find it. And then you're not going to get much use out of your device. So we want to see a very functional, very easy-to-use product and AI helps with that to a massive degree. Uh, cyber security has to be effectively the necessary evil trying to rein in the device or rein in the AI. And so, I do think though that having AI-enabled medical devices does introduce a lot of new risk that we haven't seen before. But I do think it is ultimately worth the risk and there are ways to work around it. There are ways to ensure that you're cleaning your data properly, you aren't introducing unsafe models into a product that could potentially harm someone or hallucinate bad results. Um and so I do think it's worth it if done properly. Christian: I think it's interesting, both of you mentioned cyber security is evolving slowly in the industry. I was at a conference not too long ago and I probably listened to 20 innovator pitches to investors and not a single innovator had cyber security on their roadmap. They had things like intellectual property protection, biocompatibility studies, but not a single one had cyber security. And as Dylan mentioned, the investors, a lot of them have been burned because the Medtech innovator didn't consider cyber security at the end and it delayed the submission by months and cost millions of dollars and overruns and loss time. So, in my opinion, we maybe it's slowly, but I'm not really seeing much progress from at least from the the pitches I saw. Maybe I watched the wrong 20 pitches, but not a single one mentioned cyber security. Trevor: It was the 21st one that mentioned it. Christian: It wasn't a big enough statistical sample I guess, yes. Dylan: No, I'm pretty sure, I mean, that's what's happened. Um, 'cause I mean, I've been working in this business for the for the past four to five years, um, came across hundreds of of pitch decks. Um and none actually, I mean, the majority, the very, very good majority have never really um, delved deep into um, their their the cyber security aspect of what they're doing. Christian: Yeah, and if we're building a surgical robot with AI or AI in vitro diagnostic system and it's connected to the cloud and it's you know, all these things have connectivity, I would think cyber security would be considered because there's been incidents, and we we mentioned earlier, people try to kind of cover up the incidents. There's been incidents where surgical robots have been compromised and caused um issues during surgery. There's been incidents where drug infusion pumps have been compromised, but the the general narrative is nobody has been harmed by hacking a medical device still. And I don't understand that why that's still the narrative. I don't think that to be true, actually. Dylan: I think we need a Netflix production of something going wrong, I mean this is the film or series um catch's fire and people start to realize that if this actually happened, if there's a hospital who's been um cyber, cyberhacked and things went wrong, they could actually really um be in trouble. Dylan: Because that's actually when things start to start to change, I guess. Christian: And even with the ransomware attacks, if if the systems are offline and a patient arrives in an ambulance that has a heart attack and they're delayed intake into the hospital, you know, that patient could die. But still, people don't attribute the cyber attack to to patient, you know, harm or death, which is, uh, you know, interesting to me. I guess maybe it's so we don't we're not spreading fear about hospitals or medical devices. I'm not really sure why the narrative is to kind of like downplay all of this. Trevor: There's a study by UCSD, University of San Diego, and they were studying the effects of ransomware against hospitals and they saw that if a hospital gets ransomware, in the entire city, incidents of cardiac arrest goes up by a pretty significant number, by about 20%, and the survival rates drop pretty heavily. So they're having to... Christian: What do you mean the incidence go up? Trevor: The quantity of cardiac arrest. They aren't able to stop and prevent it in that hospital. If there's a problem, there's a problem. Christian: Oh, I thought you were saying because people find out about the ransomware and they start having heart attacks. Trevor: No, if there's anyone that's in a sensitive situation, anything, you know, if they're having any cardiac problems, then they can go into cardiac arrest since they can't get any treatment. So, the rates of that go up pretty significantly, and then the survival rates go down pretty massively, so that they have to reroute all care to nearby hospitals which hospitals are very busy. It's not always easy to just say, here, take 600 more patients. Um, please figure it out. So, yeah, the narrative definitely needs to change a fair amount. It's a pretty major problem. There are a lot of really nasty things happening in the cyber security space. I was just earlier talking about that problem with the blood center in the UK where they're now able to directly attribute death to ransomware, which is a pretty scary thought. Christian: What about patient harm or even death to medical devices? Is that... has there been any documented cases that you're either one of you are aware of? 'Cause I I've read a few, but when I ask other people, they say that's not really true. Trevor: Like someone directly targeting a medical device to hurt someone? Christian: Yeah, or a medical device being compromised because it's on the hospital network, and we consider hospital networks like hostile networks, like they're already compromised. Christian: I think the... Trevor: I think the main risks that I've always seen and heard about are through non-targeted attacks, prolific viruses, and prolific ransomware. Uh, which is the most realistic use case. Attackers are usually looking for the weakest target that they can find so that they can get the fastest and the most amount of money. Hospitals, especially in America, have a lot of money, and they're often extremely insecure, so they're super easy targets. Uh, so if you're able to target a medical device, which that would be something that leans more... it's still against the ransomware side, you're not targeting it directly to cause harm to a specific individual used by that that's using that medical device. You're targeting the medical device to try to jump into the network and take over everything. Dylan: As part of your business development, have you ever tried to like, um, pick on a company, or an entity, um, try to figure out the loopholes within their whole security system and possibly even like nearly getting hold or getting access to them and then going to them, telling them, look listen, we've nearly done that. Imagine if someone actually really wanted to do that. Um, have you ever done that? Trevor: Unfortunately, we would be in prison immediately if we did that. Dylan: Isn't there, isn't there a law, or um, that if you, um, I had read it somewhere, and I think it happened even locally here. Um, that if you hack a company, but then go to them to actually show them what you've done, you're actually, you could, like, actually be given some kind of bomb... uh bounty reward or something. Trevor: Before you do that, they have to make a public announcement, they have to have public information available saying that we're accepting of people trying to do this. Um, in Russia it's legal to do that, which is where ransomware typically comes from, because ransomware is effectively legal in Russia. They call it 'post-paid cyber security.' Um, but in the US, you either need to be under contract and have testing authorization from the company going directly to you, or they provide open authorization to anyone acting in good faith. So, doing it out of the goodness of trying to find vulnerabilities. But yeah, there are a lot of companies that do that. Hospitals typically don't, uh, 'cause there's so much sensitive information. But like tech companies will commonly do it, streaming services, infrastructure services, they will do that. So you can go on Tesla's website and try to hack into them. And if you can successfully, then you reach out to Tesla, you say, 'Hey, look what I did. Imagine if I was a bad guy.' And then they'll give you money. Christian: Well, we test hospitals when they, like you said, contract us to test them with a penetration test, and we've have a 100% success rate of every, every hospital I've ever tested or we've ever tested, we've gotten into and pretty much owned everything. Trevor: It's almost too easy. I think our last hospital test that I was sitting in on took us like 35 minutes to take over everything in the network. Dylan: I mean, these are good case studies I guess, um for me to convince more people to to invest into more cybersecurity solutions. Christian: I think when people hear the word 'cybersecurity,' they just sort of, like, tune out, and, like, they don't want to hear it. They just, like, turn in another direction and kind of run away. And I'm not sure why that is. I guess because individuals, most professionals in cybersecurity try to overly complicate it and talk geek-talk with all these acronyms and most people just sort of tune out. And part of our mission is to make it tangible and and relatable as well. So why do you think it is that people like tune out when you say 'cybersecurity'? Like when you say, like, you know, biocompatibility study, people are like, okay, they understand that, but as soon as you mention cybersecurity, like, people's like, eyes glaze over, like, they don't want to hear anymore, seems. Dylan: But I mean, like speaking from a startup mentality, um, so if you're a startup and you're in the step, and you need to get onto the next step, be it your next round, be it your next MVP, cyber security and investment in cyber security doesn't relate directly to you getting from this step to the next. Um, you're only, you're only only going to need, it's like when you're on vacation. Um, and you're on a tight budget, do I pay for for travel insurance or not? And most of the people, if they're running on a budget, all right, um, let's risk it, let's not pay for travel insurance. Then if my luggage gets stolen or I'm during this and I like, shoot, I should have paid for travel insurance. I think unfortunately, cyber security, um, is often related to similar, to similar circumstances, which shouldn't be the case, especially when you're dealing with healthcare data. And that kind of, I even from from an investor perspective when I'm speaking to a startup, um, and I'm realizing that they're not investing into health data and amongst their main, um, ambitions and main vision is to improve healthcare and to improve this and that. I mean, I'm going to start questioning, are you really doing this for for for what you're saying? 'Cause if you, if you're actually looking to do that, you you you would have first and foremost made sure that the patient's data you're dealing with is going to be protected. Christian: What do you, what do you think, Trevor? Why, why do people tune out when we talk about cyber security? Agree with with Dylan? It's like related to insurance and maybe we can get, get by without, without doing it altogether? Trevor: Yeah, I think it's a mix of a few things. That's definitely the biggest part, I always call it 'the necessary evil,' nobody wants it, it doesn't add tangible value. It's the same as insurance. You think insurance is expensive, but then as soon as you get in a car accident, oh, you're going to be really happy that you had car insurance. Um, but with cyber security, A, the technical side of things, it's dry, it's complicated, it slows everything down. Building a product is supposed to be, a lot of people have a poor mindset about it in my opinion that I think is the fault of San Francisco and no other location. They say, move fast and break things, which is try to build a product, if it doesn't work, try to re-iterate and go through the cyclical process, and you can't do that in a regulated industry. You need to do things slow and methodically. But a lot of innovators try to go in with this startup mindset, which is very difficult in Medtech, try to move really quickly and forget about the important steps like cyber security, like getting regulatory approval, going through all of these different types of testing and studies. And, um, and then frankly, it's just nerdy and nobody wants to listen to it. I feel the same way sometimes when I hear talk about really difficult development terms for like embedded processors, and I understand development very well, it's a very large part of what I do in the day-to-day, but even still sometimes I go, ooh, this is a lot, this is a lot to listen to. Christian: Is that why you're moving to San Francisco to to help solve the problems? Since San Francisco is the source of the problems? Trevor: I'm gonna go sit down on the street corners with a sign and, you know, bang the drums about this all day. Slow down everybody. Christian: Or have you decided to move to Monaco instead? Trevor: Well, unfortunately, I can't work until 3:00 in the morning every day, so. Dylan: If we're able to maybe use these couple of of minutes which we've been discussing, um even for the sake of who's listening to us from a Medtech and a Healthtech perspective, is to get everyone to realize that the sooner that they that they realize that they need to invest and think about cyber security documentation from day zero, so it's actually going to be much easier for them when they are faced with FDA, with applications, with regulations. I think that should be the key take away, um of all of this. And I mean you're the best ones to obviously advocate for for for this, I would assume. Christian: Yeah, 100%. Um, we're coming up on time here a little bit. So I always ask for any last words of wisdom. I'll start with you, Trevor. I know, I know what you always say, but let's see if you say something different this time. Trevor: I think know your market before you start. So, this will go back to we're mentioning all the differences between the different regulations and it got me thinking, if you want to go into this and then when it comes time for submission, you go, 'Oh, well, what if we submit into Japan as well? That could be cool.' It's a very different process. Understand what your addressable market could be and where that is, and then have a game plan at the start instead of trying to say, 'Oh, well, maybe we can do this at the very end,' 'cause if that's your approach, the answer is no, you probably can't do it at the very end. Christian: Well, be you, Dylan, any uh last-minute words of wisdom here? Dylan: I think from a business-owner perspective, on a balance sheet, on a profit and loss, there are some expenses which are generally expenses, and then there are some cost things which are which are investments. And cyber security, um, is just that. It's an investment into the whole life cycle of what you're planning and all the blood, sweat, and tears that you're putting into the work that that you're putting. Christian: Awesome. And I'll say what Trevor always says, is to consider cyber security, cyber security early and often. Christian: Cool. Trevor: We should get shirts made. Christian: We should get shirts made. We have a lot of ideas for shirts. And uh I am you going to be at um, the Bay Area event, uh Dylan? Dylan: Yep. Um I'm flying to the US in two weeks time and I'm going to be spending some time there touring some cities. So it should be a good couple of weeks. Christian: All right, well I'll be seeing you there. I'm not sure if Trevor's going to be there. I think he's going to be still in Asia at that point, but... Trevor: Well I'll see you in Malta. I think that's the last time I saw you Dylan was in San Francisco. Dylan: San Francisco. Yep. Trevor: Yeah, during uh JP Morgan. Dylan: Yep. Christian: Awesome, very cool. Christian: Well, thanks so much Dylan for being a guest on our podcast. We really appreciate you taking the time today. And um thanks so much for all of our listeners for tuning in, and we hope to see you on the next one.