How Cybersecurity Shapes Regulatory and Quality Success with Jim Goodmiller | Ep. 49

In this episode of The Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by Jim Goodmiller of BioBridges to discuss the critical intersection of cybersecurity with regulatory and quality management in the medical device industry. Jim brings over 30 years of consulting experience, with a unique career background split between IT/technology and life sciences. His company, BioBridges, specializes in providing strategic consulting solutions to life sciences companies, helping them navigate the complex journey from concept to commercialization by providing expert resources and guidance, often on a fractional basis to accommodate the needs of startups and growing firms. The core of the conversation revolves around the evolving landscape of medtech, where cybersecurity is shifting from an IT-specific concern to a foundational component of product design, regulatory approval, and overall quality. The speakers explore the common pitfall where innovators and startups, driven by the need for funding and a focus on core product features, often treat cybersecurity as an afterthought. This approach, they argue, is becoming increasingly untenable. The discussion highlights that delaying security considerations until the end of the development lifecycle can lead to the discovery of thousands of vulnerabilities just before a planned submission, causing significant, costly delays and potentially jeopardizing the entire project. The hosts and guest emphasize the importance of adopting a 'security-by-design' philosophy, integrating security testing and risk management throughout every stage of development. The podcast also delves into the implications of emerging technologies like Artificial Intelligence (AI) in healthcare. While acknowledging AI's potential, the speakers express caution, citing real-world examples where AI has produced harmful outcomes, underscoring the immense responsibility and risk involved in a safety-critical industry. They point to the FDA's increasingly stringent stance on cybersecurity, evidenced by new guidance and significant legal enforcement actions, such as the major settlement with Illumina over falsified security evidence. The episode concludes with a strong message for all medical device manufacturers: cybersecurity is a continuous process. Whether dealing with new innovations or managing legacy devices, a proactive approach that includes early planning, iterative testing, and transparent communication is not just best practice—it is essential for patient safety, regulatory compliance, and business viability.

Hello and welcome back to the Med Device Cyber Podcast. We have a very special guest today, Jim Goodmiller from over at BioBridges and today what we're going to be talking about is cybersecurity and how it blends in to regulatory and quality. I'll check in with you first, Jim. How are you doing today? Great, Trevor. Thanks for having me guys. Uh, excited to be here today. Awesome. Well, like I said, we're going to go into some cool stuff as far as cybersecurity and how it ties into regulatory, how it ties into quality. And I know Jim, that's a little bit more of your space is on that side of things with BioBridges. So why don't you tell us a little bit about yourself and a little bit about BioBridges on that front. Sure. Happy to. So, uh, Jim Goodmiller. I'm here in the Chicago area. So I've been, you know, within the consulting industry for the past 30 years. Um, and so I've worked, kind of, I've had a split personality where about 60% of my career has been focused on IT, technology, with about 40% in life sciences. And so I've kind of bounced around and seem to go between the two based on what's going on in the world. And so, but most recently, the last decade, it's been focused more towards the life sciences industry and, um, have been working with, uh, with lots of customers of all sizes, helping them kind of navigate all of the challenges and all of the, uh, adventures that are, uh, that are known in our industry. So, um, that's a little bit about me. But, uh, as far as BioBridges, uh, BioBridges has been around for over 20 years. Um, our headquarters is based in Raleigh, North Carolina. We really, you know, we like to say that that we work with companies to try to help them through their whole process from concept to commercialization by bringing in the right strategic consulting solutions, the right resources to help them accomplish their objectives. So, um, often times on a fractional basis, cuz many times that's where our clients need us to kind of plug in. Um, but we're kind of the, we tend to be the the organization that comes in, does some work and then gets out. So that's kind of our our approach. I think it's interesting you have, you said like a a split kind of personality, I don't know the term you used, but you have a little bit of IT background and life life sciences background. There's not a lot of people in life sciences from my experience that have an IT background. Yeah, it's it's really interesting. I mean, you know, when I look at the way the the world has evolved, I would have never thought back in the early '90s that technology coupled with life sciences would be as prevalent as it is today. Um, but, but, uh, certainly we're seeing that more and more each and every day. I don't know if you guys have ever heard there's this product out there called AI. So, you know, obviously we're seeing tremendous changes take place with AI and, um, and, you know, with within life sciences clearly, there's some incredible advantages that that will be, where AI will capitalize on that and help. So, uh, so yeah, it's kind of an interesting approach, you know, when I start looking at at how my world is kind of gone full circle. So, um, it it definitely is helping in today's market. Yeah, Trevor and I have been talking about AI quite a bit and I think when you're just talking about AI, there was a movie by Steven Spielberg, I think called "AI" that came out a really long time ago actually. Is is it relevant to today? Is it what, would I put it on and you feel like I'm watching history play out? It is relevant to from today. From what I recall it's about like an AI like, like kind of like human-like person that somebody falls in love with. Sounds more like it. Yes. There's yeah, there's quite a few stories like that, I guess but uh, it was it was quite some time ago, like right after, like not too long ago after E.T., so that that that era. But one of the things that we have talked about and I guess curious to get your opinion, Jim with regarding AI, I feel the life sciences or med tech industry is not ready for AI. Maybe on some specific use cases, but not in a generic sense or general sense. And what comes to mind is like this case that I know is being worked now where there's a wellness app that has AI enabled that does, you know, wellness, um, therapy basically. And with this app, the company that made this application, which is falls really under the umbrella of a medical device, is being sued because a suicidal patient that was using this app for therapy after two months, the app told the patient, well, you might as well go ahead and kill yourself. And the patient killed themselves. So the patient's family is suing the company that made this app. So I think everyone always thinks about AI like how great it is when things go right. But in that situation where things went drastically wrong, and it, you know, cost somebody their life. Talk about patient safety, uh, that's a case that I think I don't think we're quite mature enough to understand these edge cases with AI and what the real consequences can be. I'm curious what your thoughts are on that and then we can get Trevor's thoughts as well. Like most new technology innovations, no offense to my marketing folks, but the minute marketing gets a hold of something, it's just, you know, boom, it's out there, right? And I think it's no different with what we're seeing with AI. Um, clearly, you know, AI is a game changer. I think it's uh, something in which we will see a definite revolution and are seeing a revolution take place in the way that we interface with technology. But that being said and especially as it applies to the life sciences industry, we have to be careful. Um and it's the reason why life sciences is regulated is because um we can kill people if we're not careful with the right, you know, treatments and therapies and your example is a great one. You know, I kind of I was at a conference and someone equated this to AI is somewhere between Google and Wikipedia. Um, meaning that, you know, it's mostly true, mostly accurate, but every once in a while it's not. And um we had a conversation with a a customer who their physician um, or their medical director was looking at some AI solutions and plugging in information to see how accurate it was and at the time she was like, this is not correct. Like what AI is suggesting here is not accurate yet. And so, so I agree with you, Christian, I think we're a little bit early in stage for a massive adoption to take place. I think everyone wants to see the benefits of what AI can do. Now, clearly in things like looking at radiology, charts and graphs and things to where you know, MRI results, um, no question, there's tremendous benefit to speed and efficiency and, and accuracy even. But when you start getting into other forms of where it's a little more invasive, human to human scenarios like you're discussing or even some potential treatments and how things are affected. I think we need a little more time and a lot more vetting and I think that's going to be a big part of what we're going to see in the next, you know, two years. I think that new technology in general should go through a little bit more of a proving cycle before it should be used in the MedTech space and the life sciences space. And just exactly like you said, Jim, we're in an industry where people can die, people can get really hurt when things go wrong. And so I feel like this is not even just isolated to AI. Any new technology, any new components that we're using very carefully need to be vetted over a fairly long amount of time in my opinion to be proven to be safe and a good fit for the life sciences space. I think that AI is evolving to the point where we aren't able to really see the downstream of what it's capable of and what it is capable of as far as making mistakes. And so I think it's a little bit of a dangerous area to use it in safety critical spaces at this point. Well, to what Jim was saying about marketing, I know if you are a med tech innovator and you have AI as part of your solution for some reason, and maybe this is shifting, but for some reason, investors are more likely to invest in you. So we I've noticed a lot of organizations that are trying to get, you know, their Series A funding. They talk about how AI is going to enhance their product and all this stuff and then when they really like pull back the curtain, there really is no AI. It's like a fancy algorithm or something. But that's a way to get funding. And I think it's interesting that investors are are funding AI now, but I think that might shift, like AI might become a red flag, uh, because of the cases that have like come up recently. Yeah, it's a little bit like, you know, the hype cycle that we see within technology where, you know, it, it kind of gets that phase of, of going through the trough of disillusionment. I don't think we're, you know, I don't think we're near there, but I do think that there are a number of cases to where there are some, very savvy investors that are saying, let's hold on a minute. Let's look at this and figure out what is this really going to do and what's our risk, right? I mean, that's at the end of the day, you know, no one wants to end up, you know, hurting people intentionally, hopefully, and you don't want to end up in court uh, because those are two two really bad things for most companies. And so I think I think is important and I do think that you know, anytime we look at this, um, we need to, we need to approach it with, with open eyes and, and not just get all wrapped up in the hype. That being said, I do think there's no putting the genie back in the bottle. I mean we are definitely experiencing a revolution and I think for the most part is going to help us as humans do care better. Um, but we got some work to do. I was talking to someone yesterday and I'm curious what your perspective is, Jim. They were saying, and they've been in MedTech for quite some time, that cyber security is now becoming top of mind for almost everyone in the industry. And I... well, I'll, I'll get your opinion before I tell you what my opinion is. What do you, what do you think about that? You think that's true or like what are your thoughts? What I would say is that clearly, uh, we kind of started with cyber security with within, specifically within MedTech, and it was, there was a lot of vagueness, there was a lot of confusion of exactly how does this apply to what is going to be regulated, mandated? How does this this fit? And I think, you know, with a lot of the improvement of communication from, you know, the FDA and, and other organizations, I think we're getting a much clearer road map. And because of that, I think it's causing a number of folks to have to really take a serious look at cyber security. Before it was, I would say, and this is my opinion, it was, "Oh yeah, we got to worry about cyber security." "Yeah, definitely. It's an important thing." And uh, then you'd say, "Well, what are you doing about it?" "Well, we're we're looking into it", right? Whereas now, I mean, I think with the new, whatever it is, 12 different guidelines or whatever they've passed out, it's pretty clear that if you are going to move your product to some form of commercialization, you have to have a cyber security plan. You have to have a road map and a direction and you have to be able to answer some tough questions to the FDA of what you're doing to be able to ensure that your your product is uh going to be compliant. And so, um, I would say that it it is definitely growing in the minds, but I don't think that it's adopted the point to where founders, CEOs of, you know, up and coming companies have put that at the forefront. But I think that's going to change quickly. I think it's just a lot of lack of understanding and education, uh of what really is required. So I I think that's that's kind of where I think we sit right now. I have some friends in the space that are innovators and CEOs of their companies or CTOs or something or another where they're handling the product design and essentially cradle to grave of a new medical device. And when I talk to them about what are your top priorities? What are your top concerns? Reimbursement, clinical trials, you know, getting through the FDA, those are their first responses you get every time. Figuring out how to develop it for, you know, a reasonable cost, looking at developer, non-recurring engineers can quickly get past a million dollars in cost. So trying to bring those down. And say, what about cyber security? And often times the answer is, "Oh yeah, well, hopefully our developers know something about that." And then that's about as far as you go. And so I think that, you know, going back to your point where you say, "Well, you know, you're curious to hear who would like what position of someone would say, 'Oh, cyber security is super important'?" Like to myself and Christian, of course, that's all we think about. That's all we do. I think about cyber security, but to a med tech innovator with 500 different things going on and 500 different problems to solve, I feel that cyber security can fall to the back burner a little bit, which is unfortunate since it seems to be what the FDA is really focusing on as one of their top concerns at this point. So letting it fall to the back burner while completely understood is a pretty serious mistake in my mind. Yeah, and it's interesting, I watch a lot of innovator pitches to investors and they'll often show the road map and they'll show, you know, a biocompatibility study, they're going to talk to some intellectual property attorneys at this point and get trademarks and on patents and all that stuff, but I've never seen cybersecurity on a road map, not once. And I think it's interesting because I think this is part of the challenge. With cybersecurity, it's not a block of time, like a sterility study or biocompatibility. it's like, "We're going to do this in Q3 2026. We're going to do this study." Cybersecurity, you can't like put it on a roadmap in a quarter because it's more of an iterative thing that has to be from the inception to the disposal of the device along the whole way with various gates. So I think it's a a little bit of a paradigm shift from, "We're going to do this this quarter, this block of time" because that's what most people are used to doing versus where cybersecurity needs to be done throughout the entire life cycle of the product. I was talking to a prospect the other day and they were asking about when should we do our penetration testing. What is the time frame where that's important? And, you know, of course there's the best practice that the FDA recommends and the best practice that is more feasible to do, but they asked what should the, what does the FDA want to see done? I say, well, the FDA wants to see penetration testing done constantly throughout development. And that's the way they put it. They want to see it done at each different phase of the development cycle all the way through up until clearance. Now, for a lot of manufacturers, for a lot of companies, it's not feasible to go through six rounds of penetration testing during development. Penetration testing can take up time and it can be costly, and so if they're not budgeting in these factors, it can be very difficult for them. What problems we see come up when we don't take that approach though, when we don't have this early start and iterative cycle is that once we're getting down to the finish line, it's coming time for submission, they go through their first round of penetration testing and they realize that, you know, between all of the different security testing activities on some tests, we've pulled up 5,000 vulnerabilities before throughout static testing and S-Bomb analysis and vulnerability assessments. And at that point, your goal was submission in 30 days with 5,000 vulnerabilities to fix, it's impossible. And then you have to push your whole project back. So, of course, there is, you know, the upfront cost of dealing with cyber security and it might not be very appealing to a lot of innovators, but the downstream effect is so much worse if it's not handled properly. I I think that part of this, if I look back in my career and think about some of the other areas where I've seen this take place. It reminds me of things like SOCS compliance, right? Or with, you know, in the financial industry or, um, really dating myself going back to Y2K of, you know, do we, do we ignore this? And there were, you know, we saw a number of companies in technology during the Y2K era were like, you know, some of them were super innovative on it and, you know, by '98, they were done, right? Others were like, "We're kicking this thing off probably the end of '99." You know, you're like, whoa, whoa, whoa, they're mid '99. And and they were left holding the bag. Fortunately, they were able to, you know, that there was no major issues there, but in this case, to your point, Trevor, I think, um, one of the biggest challenges I think that a lot of founders and, and smaller organizations that fail to do this can really disappoint their investors. So the people who are super excited about what they're doing, all of a sudden have to go back and say, hey, we just failed the first round because of this, we didn't prepare properly and now it's going to push our timeline back. So, you know, I I, I think that's a big education that has to take place that's kind of been missing within the industry. And I think some of that is not necessarily at the fault of the founder. Um, I think some of that is at the result of we've had a little ambiguity that took a while to get clarity and now that we have clarity, we need to be shouting that from the mountain tops to say, don't wait because if you wait, it's really going to bite you. Um, or it could really bite you. And so I think that's a really important thing to to really stress. I think another thing that's a little bit unique to cyber security and cyber security testing is a lot of these different studies or tests that manufacturers are going through the goal is obviously pass the test. You know, your device goes through your clinical studies, you want to make sure you have good clinical results. If you're goingSterility, you need to make sure that your device like passes through all these tests. With cyber security testing, I would say that I know we've never seen a device that has no vulner vulnerabilities. They never pass 100% ever. Perfect security is pretty much impossible. And so, the expectation, and we try to lay this out with our clients moving into an engagement is there will be findings. This is not something where you can say, oh, maybe we just won't have anything come up where you can say that with a lot of other types of studies. The cyber security, there are always findings in one way or another. And so preparing for that fact, going, "We're going to have to fix things, we should get on, we should get ahead of this" is a little bit different from saying, "I think we've done everything right where we're not going to have any vulnerabilities come up." There's just too much going on with cyber security where it's too easy to let something small slip through the cracks. So, it's... Yeah, I'm trying to think. I don't know, maybe if you've seen one that I haven't, Christian, but I've never seen a pen test come back without at least some type of finding on a medical device. I've not seen an on a medical device. I did see it once on an IP address that they only allowed one specific IP address to connect to it and they had us test it and we weren't coming from that source IP address. So, but that was not a medical device. I'm curious, uh, one of the things you said, which I liked Jim, like what Biobridges does is from concept to commercialization is the phrase you used. And the right time for an innovator to engage with you and your organization is at the concept phase. Is that typically where people engage or yeah, what are your thoughts? boy, it's all over the map. And so, you know, as usual, right? you know, I wish it was I wish it was clear. But for the most part, we have, we what we often find is we'll have customers that will come along and say, you know, they're typically, they're experts in something, and usually it's a lot of times in the medical device world, it's their engineers, right? They've developed some concept or come up with a product. Usually we get to the point where they're usually holding it up to the screen show us their prototype that's, you know, duct tape together. And they often know enough to be dangerous, right? So they know enough about a subject, in this case, maybe engineering, to where they're like, you know, they've come from a background and they understand how to do it. The challenge comes in to when we start asking them questions about like, "So, have you thought about XYZ? Have you thought about your regulatory path? Have you thought about your clinical process? Have you thought about things like cyber security?" And usually there's that thousand-yard stare because back to what Trevor was saying is, you know, they're often like, "Look, we're just trying to get funding right now, especially in today's market, right? We're trying to get our funding going, we're trying to get our investor groups put together. So, we like to engage where possible at the beginning to help them, you know, avoid the road blocks or, you know, hit the potholes. At the same point, we see this with some of our mid-sized customers as well, and even some of our larger clients that, you know, you kind of get into an echo chamber at times. And I often like to use the term, it's really hard to do surgery on yourself. Um, and so, you need some times that outside perspective, and what I like to say is, what we want to do is bring those subject matter experts in, you know, when you know you need them. And when you look around the room and you say, "Either we don't have enough hands to help get this work done or to be able to accomplish the mission, or we're outside of our comfort level of expertise, and we need somebody that's on the outside that can come in and bring some clarity for us." And that's really where we love to plug in. I have a question for you guys if you don't mind. How is your customers that you're talking with that have legacy devices set up in places like hospitals. What's the thought that you you've heard from that community, right? Obviously they they have some challenges because they've got devices plugged into hospital systems that have been there for X amount of years that are definitely not in compliance. What does that look like? Looks like a lot of anxiety coming from our clients more often than not. Dealing with these legacy devices. So right now the guidance on what you're supposed to do with them, unless you're going for a resubmission, is pretty thin. And even then the uh resubmission pathway for legacy devices and changes not affecting cyber security or affecting cyber security. This came into effect last month. So it's very fresh, it's very new. We're seeing a lot more manufacturers come to us and say we have this legacy device that's out there. It's sitting in existing hospital networks or we're making a small change and slowly trying to build it up. But often times the problem that these companies run into is, "Oh, we designed this device so inherently insecurely, you know, 10 years ago. The effort and the lift to bring it up to modern standards is practically a completely new product." And so going through the incremental steps and I feel like the FDA is working on pathways such as their, you know, documentation around controlled risk as an alternative documentation pathway. It's helpful to help these manufacturers slowly start bridging the gap, focus on their post-market activities, focus on a robust software bill of materials and really boil it down to what are the big problems. That's kind of the pathway that the FDA is recommending at this point and so that's what we're advising our clients to do is don't boil the ocean, focus on what you can control now and then slowly work your way up to that full compliance in preparation for the next time that you have to go with a submission with the FDA. And we've had a couple clients that have been fairly proactive that have said here's our portfolio of legacy devices. Can your team do a penetration test on all of them, do some analysis, so at least we understand the risk and what we should maybe think about fixing even though it's not mandated, they are being proactive about it. That's probably great, but probably more rare. I would think that most of organizations are still trying to like because it's new. Um but I do think it creates a lot of question because if there is let's say a- -bid an incident that takes place as a result of that we could see things really ramp up and and the industry was pretty flat-footed on that. So, yeah, I was curious about your thoughts on that. I think so of these manufacturers are seeing A, the downstream effect of cyber security against the patients. Um there've been a few notable breaches. Ransomware of course is a hospital's probably worst nightmare since that shuts everything offline, they need to go through insurance, they need to go through ransomware brokers. It's a whole big problem. So, people see the downstream of that and people understand how big of a problem it is. Not only that, but the FDA is starting to get more and more strict on legal enforcement against these companies who are not compliant. And so the Alumina case which was a public trial where FDA and the Department of Justice had a suit against Alumina for essentially falsifying cyber security evidence. This was a huge problem that came up and it was down to Alumina saying they had cyber security in places that they didn't and they ended up settling for around $10 million with the FDA as a result of this non-compliance. That was a big wake up call. We've had a lot of our clients come to us and say, hey, you know, obviously you're aware of this, but what are the downstream implications for us? What do we do about this? And the answer is luckily, don't lie to the FDA, I feel like, it's pretty straightforward. And do your due diligence, yes. Do do diligence. Don't falsify cybersecurity evidence, you know, be truthful about what you're doing, but be accurate about what you're doing. Cover cyber security, cover your bases and protect yourselves on this front. So I think it is becoming a little bit more front of mind. Well I think the with legacy devices, it's not just a technical issue. My wife used to be a nurse and we talk about these things all the time. She works with Blue Goat now. But one of the challenges is like to roll a new device out there to a healthcare delivery organization to replace a legacy is a lot more involved than we probably think. It's just not a matter of, you know, disconnecting the legacy device and plugging the new one in. You have to train all the staff on how to use this new piece of equipment. You have to train the hospital IT administrators on what it does and how it operates. I mean, there's a whole like ecosystem that goes in place that I think a lot of people don't quite understand. It's not just a matter of, you know, unplugging the legacy and plugging the new one and, there's a lot more involved with it, which makes it much more complicated, much more much there's much more resistance to even having a new device put on the network and everything else. Yeah, it makes sense. And and expensive, right? I mean that's a huge aspect of of, you know, stretched costs as it is with in healthcare. It's not a not a cheap solution either. So yeah, I'm sure we're going to learn a lot over the next few years on what that's going to look like, but just curious for you guys because you're you're dealing with that and we've heard rumblings but we're not there yet with a lot of our clients. I think we're headed in the right direction in terms of cyber security and and medical devices. There's been a couple things that have maybe brought cyber security more to the forefront on people's minds. I think it's still not there, but like the Illumina case Trevor mentioned, the wellness app uh with AI that that you know, the patient themselves. So it's like there's finally becoming some some things that are happening. I think there was one case Trevor, you mentioned some people died as well as a result of a medical device um that was compromised also, right? Yeah, there was a ransomware attack in a blood transfusion center in the UK for like critical care patients, end of life cancer patients, things like that. Ransomware got in, essentially, it shut down everything, every single device on the network, every single computer. And they were able to immediately trace and directly trace a cybersecurity attack to the death of patients as a result for, you know, possibly the first time where they could directly pin that down to a cyber security attack as a result of patients not being able to receive treatments. So unfortunately these are all negative cases. It's I'm hoping the positive outcome is people actually start considering cyber security and putting it on those road maps and from concept they actually consider it uh as well. Because I I I know earlier, you know, Jim, you're talking about helping with the road map, helping close those gaps and avoiding the echo chamber. It seems to me if someone is concerned about getting an investor to invest in their product that you should have, this is my perspective, maybe I'm wrong, I if I would invest in someone, I don't want to see the person with the best plan and the best thought out plan that considers the the main elements that would affect the success or likelihood of the success of their product going to market. So that's what I would look at. So I would think someone want to come to you and help fill out that road map and say, these are all the things you can consider versus just say, "All we're concerned about is getting an investor. We don't care about these things." It's like the opposite. You know, it should be the other way around. We care about getting investment, so obviously we care about having our road maps and our ducks in a row so we can make the pitch appropriately. One of the hardest challenges with founders is you know, to to make sure that they don't fall too in love with the product that they forget that it's, you know, there's a whole way you have to get this through to the market. And um, I've had conversations with founders in the past where, you know, 35 minutes into the conversation, they finally take a deep breath and say, you know, they stop talking about the product and all the intricacies of the product. And, you know, again, it's great. I love your enthusiasm, but but from a core standpoint of getting it, that product that's sitting on your computer screen you're showing me to actually being purchased and, you know, paid for, which is ultimately the goal, just it's a lack of understanding of the full process and it's a little bit overwhelming at times. Um, we're trying to make it bite size. As a matter of fact, we're putting together some packages that are lower in cost for some of these smaller firms to help them, you know, put together some assessments to say, let's take a look at this so that we can help you open the, you know, pop the hood so you can at least know what you're looking at. Happy to come in and help you fix it, but you need to know what's you need to do first and where you are. And so we want to really take that approach and certainly cyber security, which is why we love our partnership with Blue Goat is a huge part of that. We know what we know and we know what we're good at, and we don't want to be a cyber security company. We want to partner with you guys to help us with our customers navigate that. So that's uh that's the way we kind of look at things now. Yeah, we do something similar. We have an offering where somebody is at that concept phase where for not that much money, they can get some time with us so we can tell them that things are missing from the cyber lens and get them thinking about it early on, which is much more cost-effective than like forgetting about it and trying to retroactively add things later. And one of the things that uh you were talking about with a founder and being anombered with their own product. I I get that. I get this question a lot because I was an entrepreneur people talking about entrepreneurship topics quite a bit as well. And I I think as the owner or founder all these areas are ultimately your responsibility to to figure out or have somebody else do it, but you need to know that these things need to be on a roadmap. It's I think a lot of founders just like automatically say, well, I don't need to worry about that. That's somebody else's responsibility. but I'm like if I'm an investor I'm invest in you, it's your responsibility because it's your organization. But there's like this resistance to understand like these things I, things I need to take ownership of to make sure they get done. Yeah. Yeah, that's a really great point. Yeah, if you watch any shark tank, you know, you'll see it quickly where you can tell we're investing in you, right? As that as that founder. Um, and, you know, I think sometimes it's intimidating, uh, you you don't want to come across like you don't know what you're talking about, but I think that's the, that's the perfect time to surround yourself with great partners that can help you navigate that. We've told a number of our customer, we probably have, I bet there's 10 to 12 customers that we're in contact with now we could have in our waiting for funding category. Right? They are absolutely innovative products, some really cool stuff. They're trying to raise money. But we've already had some initial conversations with them and said, so when you get your funding, here's the, here's how you're going to handle the regulatory approach. Here's how you're going to handle the QMS. Here's how you're going to handle, um, you know, some of the submissions that you need to do. So that when they do get funding, they're ready to go. But more importantly, when they go to their investor groups, they can say, hey, we've already thought through this, we have a plan, and we have a partner that's going to help us navigate it and, you know, has done it time and time and time again. And I think that's that's the way to avoid a lot of of problems as well as to keep your cost down because the most precious two most precious commodities are your time and your money and um and especially as a founder in an entrepreneurial company, you have to make sure you watch those very careful. Do a lot of organizations uh come to you that waiting for funding like like portion or like stage I guess? Yeah, we usually run into them. It's usually it's molecules colliding where we're at a conference or we're at a pitch event or we're, you know, they're hearing us speak at something and they come up and say, hey, you know, I've got this. Um, how do I how do I handle this? You know, it's usually like uh, it's usually starts with a um they want a quick answer, right? You know, they want something fast to say, well, how do we do this? And our answer is always like, be quick but don't be in a hurry, right? Because that's where you're going to get in trouble. So, often times it's those conversations that lead to some initial due diligence with them, understanding where their current state is, getting around their mindset. That's really important as well. I've had a couple of companies where we've got off calls and I've just been like they they need to kind of fall a little bit, they need to bump their head a little to understand what is going to be required because they're they're not willing to you know, admit, right? That they have some issues ahead of them. We can't fix that, right? We can warn, we can sound the alarm, we can point it out the information, but you have to be open to listening to the people who and and certainly I'm not the subject matter expert on all of that, but my team is and the people that we surround ourselves with including guys like you that we can say, look, these guys, this is what we they do all day every day and have for a long, long time. Take the council, take the advice. You're going to be so much further along in your process. That's where we typically run into them though. Usually it's it's, you know, some when at some event seems to be where usually that happens. So you're running into them versus them proactively reaching out, it sounds like is what the more common scenario is. We have some that do reach out but I would say, you know, we've started to work with a couple of VC firms as well because they recognize the importance of, hey, we're the ones investing the money. We need to make sure that this can do this product or whatever it is that they're working on can do what it says it can do and that they have some gaps. And so, uh, we're starting to see some of that trickle in. So we're getting some referrals from our VC partners as well that say, "Hey, you know, we might need some assistance with this cause this company might need some assistance." As well as an academic space. We've been doing some work with a couple of universities that we're providing some resources to help some of these innovative centers that are kicking off to try to help bring in some coaching and support and we've got one gig out out in the West Coast where we're we're doing that now and our resource she's like almost on a retainer basis where they pull her in and out for subject "I've gotta have to be careful with the law, it's not a secret anymore". That's been a really really cool thing to watch happen. So, as well. Yeah, that's awesome. I mean it's it's very challenging to like go from a physician with a brilliant idea to become an an entrepreneur, a business person, and understanding this whole entire ecosystem and bring a product to market, uh, you know, with the right time, the right cost, the right, you know, there's there's a lot of factors that go into this. The learning curve is it it's pretty immense. And the skill sets are very different. But to your point, Christian, I think it's really important for for uh owners, founders to, you know, if you don't have that expertise, it, you know, I I've heard, you know, uh, before, it's like when you're starting an organization and if you're the CEO, you still have to put out the the organizational chart. You might do seven of those roles at first. You're temporarily in those roles until you find somebody else to fulfill it, yeah. Exactly, but it but the point is is that the role still has to be done and that's up to you to do it until you get somebody else or you grow to the point where you can afford someone else to handle that. And I think that's a really important thing to to stress is, you know, make sure that you take responsibility for it, but then quickly realize, I'm not the expert in this, I'm not a CFO. I don't know this. I mean, that's when you want to come to organizations that have that expertise. So. 100%. And today, uh as you alluded to earlier, there's a the ability to factionalize everything so you can hire expertise on an asated basis and not necessarily have to find somebody full time. You can have a team of people fractionally that are much better than one individual typically full-time basis. As a matter of fact, it's funny, we we are getting ready to uh launch a new group within Bio Bridges that's going to help organizations in life sciences with CFO support, with HR support on a fractional basis because we continue to have conversation with our customers where, you know, especially as they start to grow, that they start saying like, we can't afford or nor should we bring on a full-time person, but boy, we could really use somebody to help us navigate these waters and um that understands the life sciences industry. So we're trying to we're trying to build that right now. Yeah, so we're uh coming up on time here. So I like to ask people for last minute uh words of wisdom. And Trevor, you have to say something different this time. I haven't heard Trevor's words of wisdom. Can I get two Trevor? Maybe you're. Yeah, you can get two. You can get his his typical one and a new one. So start you Trevor. I put you on the spot. All right. Well, my typical one is consider cyber security early and often and don't leave it to the end. It's something you should start with, you should go with cyber security by design all the way through. Since I'm not allowed to use that one, I'll pick a different one. What I'm going with today is what you design probably is not going to be what you ship. There are too many factors that you are not considering at this point at these early phases and that's okay. You've got to go through these different cycles. You have to understand what is what constraints there are with the technical development side of things, what you're not able to implement to be compliant or to pass different types of testing. And I all of that isn't going to be immediately apparent until you start working through this process or you start working with a company like Biobridges that's guiding you along the process. So be aware that your product is going to go through a lot of different iterations and cycles and it's just part of the game. I like that new one, Trevor. Yeah. What about you, Jean? What's your last minute words of wisdom here or part in words of wisdom? Yeah, you know, I would say um one of my sayings that anyone who works with me knows I say this and they're sick of it, but I'll say it anyway. You know, in the absence of communication, perception creeps in. And I think I invented that because I can't have anybody show me that they didn't. So I've I've I've signed off saying that that I created that saying. And the reason I, the reason I like that saying is because in what we do and everything that we do, we still are interacting with people. And often times, what we find some of the biggest challenges people face or our customers face is it's a communication process. It's interacting with other human beings and making sure that we have open and honest and transparent communication. And so, because if we don't, then we start to perceive things. like, "This will be fine. This will work out. There's no issues here." And so, really having heart-to-he-heart conversation with yourself, with your partners, within the organization, your family, all of those things are super important. And so, um, that's my parting word. I like that. I will piggy back on what Trevor said. One of my philosophies is kaizen, which is constant and never any improvement. And the whole concept is when you're designing something as Trevor said, it's probably not going to be what you shipped, but you have, what you ship or selling, you have to have the mindset that until I take these steps, I don't necessarily know the the whole path. The path will start illuminating as I take the steps, but I have to have the mindset like, let's take this first step and we may not get it all figured out on the next step, but we have to like take some feedback and and make some corrections and apply that continuous improvement. We're not going to get it all figured out right the first time. At least that's my experience. Maybe some people do. No, I think that's great. Yeah, that's easy to steer the car when it's moving. Right? That's that's the way I always think about that, but that's great. Awesome. We'll wrap up here. I think I'm going to go take my blue goat mug and get some more mushroom coffee. It's it's before noon Trevor, so I'm okay. There you go. Awesome. You're all good. Well thanks so much Jim for for being our guest today and we evaluate our partnership with Biobridges. And thanks everyone for tuning in to the Med Device Cyber podcast. I hope you found this episode valuable and we'll see you on the next one.