How Cybersecurity Shapes Regulatory and Quality Success with Jim Goodmiller | Ep. 49

Hello and welcome back to the Med Device Cyber Podcast. We have a very special guest today, Jim Goodmiller from over at Bio Bridges. Today, what we're going to be talking about is cybersecurity and how it blends into regulatory and quality. I'll check in with you first, Jim, how are you doing today? Great, Trevor. Thanks for having me, guys. Excited to be here today. Awesome. Well, like I said, we're going to go into some cool stuff as far as cybersecurity and how it ties into regulatory, how it ties into quality. I know, Jim, that's a little bit more of your space on that side of things with Bio Bridges. So why don't you tell us a little bit about yourself and a little bit about Bio Bridges on that front? Sure, happy to. I'm Jim Goodiller, based here in the Chicago area. I've been in the consulting industry for the past 30 years. I've had a split personality where about 60% of my career has been focused on IT technology, with about 40% in life sciences. I've kind of bounced around and seemed to go between the two based on what's going on in the world. Most recently, for the last decade, it's been focused more towards the life sciences industry, and I've been working with lots of customers of all sizes, helping them kind of navigate all of the challenges and all of the adventures that are known in our industry. That's a little bit about me. As for Bio Bridges, Bio Bridges has been around for over 20 years. Our headquarters is based in Raleigh, North Carolina. We really like to say that we work with companies to try to help them through their whole process from concept to commercialization by bringing in the right strategic consulting solutions, the right resources to help them accomplish their objectives. Often, this is on a fractional basis because many times that's where our clients need us to kind of plug in. We tend to be the organization that comes in, does some work, and then gets out. So that's kind of our approach. I think it's interesting you said a split kind of personality. I don't know the term we use, but you have a little bit of an IT background and a life sciences background. There are not a lot of people in life sciences from my experience that have an IT background. Yeah, it's really interesting. When I look at the way the world has evolved, I would have never thought back in the early 90s that technology coupled with life sciences would be as prevalent as it is today. But certainly, we're seeing that more and more each and every day. I don't know if you guys have ever heard, there's this product out there called AI. Obviously, we're seeing tremendous changes take place with AI, and within life sciences, clearly, there are some incredible advantages that AI will capitalize on and help. So yeah, it's kind of an interesting approach when I start looking at how my world has kind of gone full circle. It definitely is helping in today's market. Yeah, Trevor and I have been talking about AI quite a bit, and I think when you're just talking about AI, there was a movie by Steven Spielberg, I think, called AI that came out a really long time ago, actually. Is it relevant to today? Would I put it on and feel like I'm watching a history play? It is relevant to today. From what I recall, it's about an AI, kind of a human-like person that somebody falls in love with. There are a lot of stories like that. That sounds more like it, yes. There are quite a few stories like that, I guess, but it was quite some time ago, like right after ET. So, that era. But, one of the things that we have talked about, and I'm curious to get your opinion, Jim, regarding AI. I feel the life sciences or MedTech industry is not ready for AI, maybe on some specific use cases, but not in a generic or general sense. What comes to mind is this case that I know is being worked on now where there's a wellness app that has AI enabled that does wellness therapy. With this app, the company that made this application, which falls under the umbrella of a medical device, is being sued because a suicidal patient who was using this app for therapy was told by the app, after two months, "Well, you might as well go ahead and kill yourself." The patient then killed themselves. So, the patient's family is suing the company that made this app. I think everyone always thinks about AI like how great it is when things go right. But in that situation where things went drastically wrong and it cost somebody their life, talk about patient safety. That's a case, I think, where we're not quite mature enough to understand these edge cases with AI and what the real consequences can be. I'm curious what your thoughts are on that, and then we can get Trevor's thoughts as well. Like most new technology innovations, no offense to my marketing folks, but the minute marketing gets a hold of something, boom, it's out there, right? I think it's no different with what we're seeing with AI. Clearly, AI is a game-changer. I think it's something in which we will see a definite revolution and are seeing a revolution take place in the way that we interface with technology. That being said, and especially as it applies to the life sciences industry, we have to be careful. The reason why life sciences is regulated is because we can kill people if we're not careful with the right treatments and therapies. Your example is a great one. I was at a conference, and someone equated this to AI being somewhere between Google and Wikipedia, meaning that it's mostly true, mostly accurate, but every once in a while, it's not. We had a conversation with a customer whose physician or medical director was looking at some AI solutions and plugging in information to see how accurate it was. At the time, she was like, "This is not correct." What AI is suggesting here is not accurate yet. So, I agree with you, Christian. I think we're a little bit early in stage for a massive adoption to take place. I think everyone wants to see the benefits of what AI can do. Now, clearly, in things like looking at radiology charts and graphs and things where MRI results, no question there's tremendous benefit to speed and efficiency and accuracy even. But when you start getting into other forms where it's a little more invasive human-to-human scenarios like you're discussing, or even some potential treatments and how things are affected, I think we need a little more time and a lot more vetting. I think that's going to be a big part of what we're going to see in the next two years. I think that new technology, in general, should go through a little bit more of a proving cycle before it should be used in the MedTech space and the life sciences space. Just exactly like you said, Jim, we're in an industry where people can die. People can get really hurt when things go wrong. So, I feel like this is not even just isolated to AI. Any new technology, any new components that we're using, very carefully need to be vetted over a fairly long amount of time, in my opinion, to be proven to be safe and a good fit for the life sciences space. I think that AI is evolving to the point where we aren't able to really see the downstream of what it's capable of and what it is capable of as far as making mistakes. So I think it's a little bit of a dangerous area to use it in safety-critical spaces at this point. Well, to what Jim was saying about marketing, I know if you are a MedTech innovator and you have AI as part of your solution, for some reason, and maybe this is shifting, but for some reason, investors are more likely to invest in you. So, I've noticed a lot of organizations that are trying to get their Series A funding. They talk about how AI is going to enhance their product and all this stuff. When they really pull back the curtain, there really is no AI. It's like a fancy algorithm or something. But that's a way to get funding. I think it's interesting that investors are funding AI now, but I think that might shift. AI might become a red flag because of the cases that have come up recently. Yeah, it's a little bit like the hype cycle that we see within technology where it kind of gets that phase of going through the trough of disillusionment. I don't think we're near there, but I do think that there are a number of cases where there are some very savvy investors that are saying, "Let's hold on a minute. Let's look at this and figure out what is this really going to do and what's our risk, right?" I mean, that's at the end of the day. No one wants to end up hurting people intentionally, hopefully, and you don't want to end up in court because those are two really bad things for most companies. So, I think caution is important, and I do think that anytime we look at this, we need to approach it with open eyes and not just get all wrapped up in the hype. That being said, I do think there's no putting the genie back in the bottle. I mean, we are definitely experiencing a revolution, and I think for the most part, it's going to help us as humans do care better, but we got some work to do. I was talking to someone yesterday, and I'm curious what your perspective is, Jim. They were saying, and they've been in MedTech for quite some time, that cybersecurity is now becoming top of mind for almost everyone in the industry. I'll get your opinion before I tell you what my opinion is. Do you think that's true, or what are your thoughts? What I would say is that clearly we kind of started with cybersecurity, specifically within MedTech, and there was a lot of vagueness. There was a lot of confusion about exactly how this applies to what is going to be regulated, mandated, and how this fits. I think with a lot of the improvement of communication from the FDA and other organizations, we're getting a much clearer roadmap. Because of that, I think it's causing a number of folks to have to really take a serious look at cybersecurity. Before, I would say, and this is my opinion, it was, "Oh yeah, yeah, we got to worry about cybersecurity. Yeah, definitely, it's an important thing." Then you'd say, "Well, what are you doing about it?" "Well, we're looking into it," right? Whereas now, I mean, I think with the new whatever it is, 12 different guidelines or whatever they've passed out, it's pretty clear that if you are going to move your product to some form of commercialization, you have to have a cybersecurity plan. You have to have a roadmap and a direction, and you have to be able to answer some tough questions to the FDA about what you're doing to be able to ensure that your product is going to be compliant. So, I would say that it is definitely growing in people's minds, but I don't think that it's adopted to the point where founders, CEOs of up-and-coming companies, have put that at the forefront. But I think that's going to change quickly. I think it's just a lot of lack of understanding and education of what really is required. So I think that's kind of where we sit right now. I have some friends in the space who are innovators and CEOs of their companies or CTOs, or something or another, where they're handling the product design and essentially cradle to grave of a new medical device. When I talk to them about what are your top priorities, what are your top concerns, reimbursement, clinical trials, getting through the FDA, those are their first responses you get every time. Figuring out how to develop it for a reasonable cost, looking at developer non-recurring engineers, can quickly get past a million dollars in cost. So, trying to bring those down and say, "What about cybersecurity?" And often times, the answer is, "Oh yeah, well, hopefully, our developers know something about that." And then that's about as far as you go. So, I think that going back to your point where you say, "Well, you know, you're curious to hear who would say cybersecurity is super important." To myself and Christian, of course, that's all we think about. That's all we do is think about cybersecurity. But to a MedTech innovator with 500 different things going on and 500 different problems to solve, I feel that cybersecurity can fall to the back burner a little bit, which is unfortunate since it seems to be what the FDA is really focusing on as one of their top concerns at this point. So letting it fall to the back burner, while completely understandable, is a pretty serious mistake in my mind. Yeah, and it's interesting. I watch a lot of innovator pitches to investors, and they often show the roadmap, and they'll show a biocompatibility study. They're going to talk to some intellectual property attorneys at this point and get trademarks and patents and all that stuff. But, I've never seen cybersecurity on a roadmap, not once. I think it's interesting because I think this is part of the challenge with cybersecurity. It's not a block of time, like a sterility study or biocompatibility, where we're going to do this in Q3 2026. Cybersecurity, you can't put it on a roadmap in a quarter because it's more of an iterative thing that has to be from the inception to the disposal of the device along the whole way with various gates. So, I think it's a little bit of a paradigm shift from "we're going to do this this quarter, this block of time," because that's what most people are used to doing, versus where cybersecurity needs to be done throughout the entire lifecycle of the product. I was talking to a prospect the other day, and they were asking about when should we do our penetration testing? What is the timeframe where that's important? Of course, there's the best practice that the FDA recommends, or the best practice that is more feasible to do, but they asked, "What does the FDA want to see done?" I say, "Well, the FDA wants to see penetration testing done constantly throughout development." That's the way they put it. They want to see it done at each different phase of the development cycle, all the way through up until clearance. Now, for a lot of manufacturers, for a lot of companies, it's not feasible to go through six rounds of penetration testing during development. Penetration testing can take up time and it can be costly. So, if they're not budgeting in these factors, it can be very difficult for them. What problems we see come up when we don't take that approach, though, when we don't have this early start and iterative cycle, is that once we're getting down to the finish line, it's coming time for submission. They go through their first round of penetration testing and they realize that, between all of the different security testing activities on some tests, we've pulled up 5,000 vulnerabilities before throughout static testing and SBOM analysis and vulnerability assessments. At that point, your goal was submission in 30 days with 5,000 vulnerabilities to fix. It's impossible. Then you have to push your whole project back. So, of course, there is the upfront cost of dealing with cybersecurity, and it might not be very appealing to a lot of innovators, but the downstream effect is so much worse if it's not handled properly. I think that part of this, if I look back in my career and think about some of the other areas where I've seen this take place, it reminds me of things like SOX compliance, right, in the financial industry, or, really dating myself, going back to Y2K. Do we ignore this? We saw a number of companies in technology during the Y2K era where some of them were super innovative on it, and by '98, they were done. Others were like, "We're kicking this thing off probably the end of '99." You're like, "Whoa, whoa, whoa," or mid-'99, and they were left holding the bag. Fortunately, there were no major issues there. But in this case, to your point, Trevor, I think one of the biggest challenges I think that a lot of founders and smaller organizations that fail to do this can really disappoint their investors. So, the people who are super excited about what they're doing all of a sudden have to go back and say, "Hey, we just failed the first round because of this. We didn't prepare properly." And now it's going to push our timeline back. So, I think that's a big education that has to take place that's kind of been missing within the industry. I think some of that is not necessarily at the fault of the founder. I think some of that is at the result of us having a little ambiguity that took a while to get clarity. Now that we have clarity, we need to be shouting that from the mountaintops to say, "Don't wait, because if you wait, it's really going to bite you," or it could really bite you. So, I think that's a really important thing to really stress. I think another thing that's a little bit unique to cybersecurity and cybersecurity testing is a lot of these different studies or tests that manufacturers are going through, the goal is obviously to pass the test. Your device goes through your clinical studies, you want to make sure you have good clinical results. If you're going sterility, you need to make sure that your device passes through all these tests. With cybersecurity testing, I would say that I know we've never seen a device that has no vulnerabilities. They never pass 100%. Ever. Perfect security is pretty much impossible. So the expectation, and we try to lay this out with our clients moving into an engagement, is there will be findings. This is not something where you can say, "Oh, maybe we just won't have anything come up," where you can say that with a lot of other types of studies. With cybersecurity, there are always findings in one way or another. So, preparing for that fact, "we're going to have to fix things, we should get ahead of this," is a little bit different from saying, "I think we've done everything right where we're not going to have any vulnerabilities come up." There's just too much going on with cybersecurity where it's too easy to let something small slip through the cracks. So it's, yeah, I'm trying to think, I don't know, maybe if you've seen one that I haven't, Christian, but I've never seen a pen test come back without at least some type of finding on a medical device. I've not seen it on a medical device. I did see it once on an IP address that they only allowed one specific IP address to connect to it, and they had us test it, and we weren't coming from that source IP address. But that was not a medical device. I'm curious, one of the things you said which I liked, Jim, what Bio Bridges does is "from concept to commercialization," is a phrase you used. That tells me the right time for an innovator to engage with you and your organization is at the concept phase. Is that typically where people engage, or what are your thoughts? Boy, it's all over the map, as usual, right? I wish it was clear. But for the most part, we often find customers who will come along and say they're typically experts in something, and usually, a lot of times in the medical device world, it's their engineers, right? They've developed some concept or come up with a product. Usually, we get to the point where they're usually holding it up to the screen to show us their prototype that's duct-taped together. They often know enough to be dangerous, right? So, they know enough about a subject, in this case, maybe engineering, where they've come from a background and they understand how to do it. The challenge comes into when we start asking them questions about, "Have you thought about XYZ? Have you thought about your regulatory path? Have you thought about your clinical process? Have you thought about things like cybersecurity?" And usually, there's that thousand-yard stare because, back to what Trevor was saying, they're often like, "Look, we're just trying to get funding right now, especially in today's market, right? We're trying to get our funding going. We're trying to get our investor groups put together." So, we like to engage where possible at the beginning to help them kind of avoid the roadblocks or hit the potholes. At the same point, we see this with some of our midsize customers as well, and even some of our larger clients, that you kind of get into an echo chamber at times. I often like to use the term, "It's really hard to do surgery on yourself." So, you need sometimes that outside perspective. What I like to say is what we want to do is bring those subject matter experts in when you know you need them, and when you look around the room and you say, "Either we don't have enough hands to help get this work done or to be able to accomplish the mission, or we're outside of our comfort level of expertise and we need somebody that's on the outside that can come in and bring some clarity for us." And that's really where we love to plug in. I have a question for you guys if you don't mind. How are your customers that you're talking with that have legacy devices set up in places like hospitals? What's the thought that you've heard from that community? Obviously, they have some challenges because they've got devices plugged into hospital systems that have been there for X amount of years that are definitely not in compliance. What does that look like? It looks like a lot of anxiety coming from our clients more often than not dealing with these legacy devices. So, right now, the guidance on what you're supposed to do with them, unless you're going for a resubmission, is pretty thin. Even then, the resubmission pathway for legacy devices and changes not affecting cybersecurity or affecting cybersecurity came into effect last month, so it's very fresh, it's very new. We're seeing a lot more manufacturers come to us and say, "We have this legacy device that's out there. It's sitting in existing hospital networks, or we're making a small change and slowly trying to build it up." But often times, the problem that these companies run into is, "Oh, we designed this device so inherently insecurely 10 years ago, the effort and the lift to bring it up to modern standards is practically a completely new product." So, going through the incremental steps, and I feel like the FDA is working on pathways such as their documentation around controlled risk as an alternative documentation pathway. It's helpful to help these manufacturers slowly start bridging the gap, focus on their postmarket activities, focus on a robust Software Bill of Materials, and really boil it down to what are the big problems. That's kind of the pathway that the FDA is recommending at this point. So that's what we're advising our clients to do is don't boil the ocean. Focus on what you can control now, and then slowly work your way up to that full compliance in preparation for the next time that you have to go with a submission with the FDA. We've had a couple of clients that have been fairly proactive and have said, "Here's our portfolio of legacy devices. Can your team do a penetration test on all of them? Do some analysis so at least we understand the risk and what we should maybe think about fixing, even though it's not mandated." They are being proactive about it. That's probably great, but probably more rare. I would think that most organizations are still trying to, because it's new, but I do think it creates a lot of questions because if there is, let's say, God forbid, an incident that takes place as a result of that, we could see things really ramp up, and the industry was pretty flat-footed on that. So yeah, I was curious about your thoughts on that. I think some of these manufacturers are seeing the downstream effect of cybersecurity against the patients. There have been a few notable breaches. Ransomware, of course, is a hospital's probably worst nightmare since that shuts everything offline. They need to go through insurance. They need to go through ransomware brokers. It's a whole big problem. So people see the downstream of that, and people understand how big of a problem it is. Not only that, but the FDA is starting to get more and more strict on legal enforcement against these companies who are not compliant. The Illumina case, which was a public trial where FDA and the Department of Justice had a suit against Illumina for essentially falsifying cybersecurity evidence. This was a huge problem that came up, and it was down to Illumina saying they had cybersecurity in places that they didn't, and they ended up settling for around $10 million with the FDA as a result of this non-compliance. That was a big wake-up call. We've had a lot of our clients come to us and say, "Hey, you know, obviously you're aware of this, but what are the downstream implications for us? What do we do about this?" And the answer is, luckily, "Don't lie to the FDA." I feel like it's pretty straightforward. And do your due diligence. Yes, do your due diligence. Don't falsify cybersecurity evidence. Be truthful about what you're doing, but be accurate about what you're doing. Cover cybersecurity, cover your bases, and protect yourselves on this front. So, I think it is becoming a little bit more front of mind. Well, I think with legacy devices, it's not just a technical issue. My wife used to be a nurse, and we talk about these things all the time because she works with Blue Goat now. But one of the challenges is that to roll a new device out there to a healthcare delivery organization to replace a legacy is a lot more involved than we probably think. It's just not a matter of disconnecting the legacy device and plugging the new one in. You have to train all the staff on how to use this new piece of equipment. You have to train the hospital IT administrators on what it does and how it operates. I mean, there's a whole ecosystem that goes into place that I think a lot of people don't quite understand. It's not just a matter of unplugging the legacy and plugging the new one in. There's a lot more involved with it, which makes it much more complicated, much more, there's much more resistance to even have a new device put on the network than everything else. Yeah, makes sense. And expensive, right? I mean, that's a huge aspect of stretched costs, as it is with healthcare. It's not a cheap solution either. So yeah, I'm sure we're going to learn a lot over the next few years of what that's going to look like. But I'm just curious for you guys because you're dealing with that, and we've heard rumblings, but we're not there yet. A lot of our clients, I think we're headed in the right direction in terms of cybersecurity and medical devices. There have been a couple of things that have maybe brought cybersecurity more to the forefront of people's minds. I think it's still not there, but like the Illumina case Trevor just mentioned, the wellness app with AI that the patient had, killing themselves. So it's like there's finally becoming some things that are happening. I think there was one case, Trevor, you mentioned some people died as well as a result of a medical device that was compromised, also, right? Yeah, it was a ransomware attack in a blood transfusion center in the UK for critical care patients, end-of-life cancer patients, things like that. Ransomware got in, essentially it shut down everything, every single device in the network, every single computer. They were able to immediately trace and directly trace a cybersecurity attack to the death of patients as a result for, possibly for the first time, where they could directly pin that down to a cybersecurity attack as a result of patients not being able to receive treatments. So unfortunately, these are all negative cases. So I'm hoping the positive outcome is people actually start considering cybersecurity and putting it on those roadmaps and from concept they actually consider it as well, because I know earlier, Jim, you were talking about helping with a roadmap, helping close those gaps, and avoiding the echo chamber. It seems to me if someone is concerned about getting an investor to invest in their product, that you should have, at least this is my perspective, maybe I'm wrong. If I would invest in someone, I'd want to see the person with the best plan and the best thought-out plan that considers the main elements that would affect the success or likelihood of the success of their product going to market. So that's what I would look at. So I would think someone would want to come to you and help fill out that roadmap and say these are all the things you consider, versus just say all we're concerned about is getting an investor. We don't care about these things. It's like the opposite, you know, it should be the other way around. We care about getting investment, so obviously we care about having our roadmap and our ducks in a row so we can make the pitch appropriately. One of the hardest challenges with founders is to make sure that they don't fall too in love with the product that they forget that there's a whole way you have to get this through to the market. I've had conversations with founders in the past where 35 minutes into the conversation, they finally take a deep breath and they stop talking about the product and all the intricacies of the product. Again, it's great. I love your enthusiasm. But from a core standpoint of getting that product that's sitting on your computer screen you're showing me to actually being purchased and paid for, which is ultimately the goal, it's just a lack of understanding of the full process, and it's a little bit overwhelming at times. We're trying to make it bite-sized. As a matter of fact, we're putting together some packages that are lower in cost for some of these smaller firms to help them put together some assessments to say, "Let's take a look at this so that we can help you open the hood so you at least know what you're looking at." Happy to come in and help you fix it, but you need to know what you need to do first and where you are. So we want to really take that approach, and certainly cybersecurity, which is why we love our partnership with Blue Goat, is a huge part of that. We know what we know, and we know what we're good at, and we don't want to be a cybersecurity company. We want to partner with you guys to help us with our customers navigate that. So that's the way we kind of look at things now. Yeah, we do something similar. We have an offering where somebody is at that concept phase where for not that much money they can get some time with us so we can tell them the things that are missing from the cybersecurity lens and get them thinking about it early on, which is much more cost-effective than forgetting about it and trying to retroactively add things later. One of the things that you were talking about with a founder and being enamored with their own product, I get that. I get this question a lot because as an entrepreneur, people talk to me about entrepreneurship topics quite a bit as well. I think as the owner or founder, all these areas are ultimately your responsibility to figure out or have somebody else do it. But you need to know that these things need to be on a roadmap. I think a lot of founders just automatically say, "Well, I don't need to worry about that. That's somebody else's responsibility." But I'm like, "If I'm an investor, I'm going to invest in you. It's your responsibility because it's your organization." But there's resistance to understanding that these things are things I need to take ownership of to make sure they get done. Yeah, that's a really great point. If you watch any Shark Tank, you'll see it quickly where you can tell we're investing in you as that founder. I think sometimes it's intimidating. You don't want to come across like you don't know what you're talking about. But I think that's the perfect time to surround yourself with great partners that can help you navigate that. We've told a number of our customers, we probably have, I'll bet, 10 to 12 customers that we're in contact with now. We put them in our "waiting for funding" category, right? They are absolutely innovative products, some really cool stuff. They're trying to raise money, but we've already had some initial conversations with them and said, "So, when you get your funding, here's how you're going to handle the regulatory approach. Here's how you're going to handle the Quality Management, here's how you're going to handle some of the submissions that you need to do so that when they do get funding, they're ready to go." But more importantly, when they go to their investor groups, they can say, "Hey, we've already thought through this. We have a plan, and we have a partner that's going to help us navigate it, and has done it time and time again." I think that's the way to avoid a lot of problems as well as to keep your cost down, because the two most precious commodities are your time and your money. Especially as a founder in an entrepreneurial company, you have to make sure you watch those very carefully. Do a lot of organizations come to you in that waiting for funding stage, I guess? Yeah, we usually run into them. It's usually molecules colliding where we're at a conference or we're at a pitch event or we're, you know, they're hearing us speak at something, and they come up and say, "Hey, you know, I've got this. How do I handle this?" You know, it's usually like, it usually starts with a, they want a quick answer, right? They want something fast to say, "Well, how do we do this?" Our answer is always like, "Be quick but don't be in a hurry." Because that's where you're going to get in trouble. So often times, it's those conversations that lead to some initial due diligence with them, understanding where their current state is, getting around their mindset. That's really important as well. I've had a couple of companies where we've gotten off calls and I've just been like, they need to kind of fall a little bit. They need to bump their head a little to understand what is going to be required because they're not willing to admit, right, that they have some issues ahead of them. We can't fix that, right? We can warn, we can sound the alarm, we can point out the information, but you have to be open to listening to the people, and certainly I'm not the subject matter expert on all of that, but my team is, and the people that we surround ourselves with, including guys like you, that we can say, "Look, these guys, this is what they do all day, every day, and have for a long, long time. Take the counsel, take the advice. You're going to be so much further along in your process." That's where we typically run into them, though. Usually it's, you know, somewhere at some event seems to be where usually that happens. So you're running into them versus them proactively reaching out. It sounds like that's the more common scenario. We have some that do reach out, but I would say that's expanding. You know, we've started to work with a couple of VC firms as well because they recognize the importance of, "Hey, we're the ones investing the money. We need to make sure that this product, or whatever it is that they're working on, can do what it says it can do," and that they have some gaps. So, we're starting to see some of that trickle in. So we're getting some referrals from our VC partners as well that say, "Hey, you know, we might need some assistance with this, or this company might need some assistance." As well as in the academic space, we've been doing some work with a couple of universities that we're providing some resources to help some of these innovative centers that are kicking off to try to help bring in some coaching and support. We've got one gig out on the West Coast where we're doing that now. Our resource, she's almost on like a retainer basis where they pull her in and out for subject matter expertise, and that's been a really, really cool thing to watch happen as well. Yeah, that's awesome. I mean, it's very challenging to go from a physician with a brilliant idea to become an entrepreneur, a business person, and understanding this whole entire ecosystem and bringing a product to market at the right time, the right cost, the right, you know, there's a lot of factors that go into this, and the learning curve is pretty immense, and the skill sets are very different. But to your point, Christian, I think it's really important for owners and founders to, you know, if you don't have that expertise, it, you know, I've heard before it's like when you're starting an organization and if you're the CEO, you still have to put out the organizational chart. You might do seven of those roles at first, right? You might be the CFO, COO, you're temporarily in those roles until you find somebody else to fulfill it. Exactly. But the point is that the role still has to be done, and that's up to you to do it until you get somebody else or you grow to the point where you can afford someone else to handle that. I think that's a really important thing to stress is, make sure that you take responsibility for it, but then quickly realize, "I'm not the expert in this. I'm not a CFO. I don't know this." I mean, that's when you want to come to organizations that have that expertise. Exactly 100%. And today, as you alluded to earlier, there's the ability to fractionalize everything. So you can hire expertise on an as-needed basis and not necessarily have to find somebody full-time. You can have a team of people fractionally that are much better than one individual, typically on a full-time basis. As a matter of fact, it's funny, we are getting ready to launch a new group within Bio Bridges that's going to help organizations in life sciences with CFO support, with HR support on a fractional basis, because we continue to have conversations with our customers where, especially as they start to grow, they start saying, "Like we can't afford, nor should we bring on a full-time person, but boy, we could really use somebody to help us navigate these waters," and that understands the life sciences industry. So, we're trying to build that right now. Yeah, so we're coming up on time here, so I like to ask people for last-minute words of wisdom. And Trevor, you have to say something different this time. I haven't heard Trevor's words of wisdom. Can I get two, Trevor? Maybe you're biased. Yeah, you can get two. You can get his typical one and a new one. So, we'll start with you, Trevor. I'll put you on the spot. All right. Well, my typical one is, "Consider cybersecurity early and often, and don't leave it to the end. It's something you should start with. You should go with cybersecurity by design all the way through." Since I'm not allowed to use that one, I'll pick a different one. What I'm going with today is, "What you design probably is not going to be what you ship." There are too many factors that you are not considering at this point at these early phases. And that's okay. You have to go through these different cycles. You have to understand what constraints there are with the technical development side of things, what you're not able to implement to be compliant or to pass different types of testing. All of that isn't going to be immediately apparent until you start working through this process or you start working with a company like Bio Bridges that's guiding you along the process. So be aware that your product is going to go through a lot of different iterations and cycles, and that's just part of the game. I like that new one, Trevor. Yeah. What about you, Jim? What's your last-minute words of wisdom here or parting words of wisdom? Yeah, you know, I would say one of my sayings that anyone who works with me knows I say this, and they're sick of it, but I'll say it anyway. "In the absence of communication, perception creeps in." I think I invented that because I can't have anybody show me that they didn't. So I've signed off saying that I created that saying. The reason I like that saying is because in what we do, in everything that we do, we still are interacting with people. And oftentimes what we find some of the biggest challenges people face, our customers face, is it's a communication process. It's interacting with other human beings and making sure that we have open and honest and transparent communication. Because if we don't, then we start to perceive things like, "This will be fine. This will work out. There are no issues here." So really having a heart-to-heart conversation with yourself, with your partners, within the organization, your family, all of those things are super important. So, that's my parting word. I like that. I will piggyback on what Trevor said. One of my philosophies is Kaizen, which is constant and never-ending improvement. The whole concept is when you're designing something, as Trevor said, it's probably not going to be what you shipped, but you have what you ship, end up shipping or selling. But you have to have the mindset that until I take these steps, I don't necessarily know the whole path. The path will start illuminating as I take the steps, but I have to have the mindset like, let's take this first step, and we may not get it all figured out in the next step, but we have to take some feedback and make some corrections and apply that continuous improvement. We're not going to get it all figured out right the first time. At least that's my experience. Maybe some people do. No, I think that's great. Yeah, it's easier to steer the car when it's moving, right? So that's the way I always think about that. But that's great. Awesome. We'll wrap up here. I think I'm going to go take my Blue Goat mug and get some more mushroom coffee. It's before noon, Trevor, so I'm okay. There you go. You're all good. Well, thanks so much, Jim, for being our guest today, and we value our partnership with Bio Bridges. Thanks everyone for tuning in to the Med Device Cyber Podcast. I hope you found this episode valuable, and we'll see you on the next one.