Episode 34 · December 9, 2025 · 43m listen · 8,214 words · ~41 min read

How Cybersecurity Shapes Regulatory and Quality Success with Jim Goodmiller | Ep. 49 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 34 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of The Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by Jim Goodmiller of BioBridges to discuss the critical intersection of cybersecurity with regulatory and quality management in the medical device industry. Jim brings over 30 years of consulting experience, with a unique career background split between IT/technology and life sciences. His company, BioBridges, specializes in providing strategic consulting solutions to life sciences companies, helping them navigate the complex journey from concept to commercialization by providing expert resources and guidance, often on a fractional basis to accommodate the needs of startups and growing firms. The core of the conversation revolves around the evolving landscape of medtech, where cybersecurity is shifting from an IT-specific concern to a foundational component of product design, regulatory approval, and overall quality. The speakers explore the common pitfall where innovators and startups, driven by the need for funding and a focus on core product features, often treat cybersecurity as an afterthought. This approach, they argue, is becoming increasingly untenable. The discussion highlights that delaying security considerations until the end of the development lifecycle can lead to the discovery of thousands of vulnerabilities just before a planned submission, causing significant, costly delays and potentially jeopardizing the entire project. The hosts and guest emphasize the importance of adopting a 'security-by-design' philosophy, integrating security testing and risk management throughout every stage of development. The podcast also delves into the implications of emerging technologies like Artificial Intelligence (AI) in healthcare. While acknowledging AI's potential, the speakers express caution, citing real-world examples where AI has produced harmful outcomes, underscoring the immense responsibility and risk involved in a safety-critical industry. They point to the FDA's increasingly stringent stance on cybersecurity, evidenced by new guidance and significant legal enforcement actions, such as the major settlement with Illumina over falsified security evidence. The episode concludes with a strong message for all medical device manufacturers: cybersecurity is a continuous process. Whether dealing with new innovations or managing legacy devices, a proactive approach that includes early planning, iterative testing, and transparent communication is not just best practice—it is essential for patient safety, regulatory compliance, and business viability.

Key takeaways from this episode

Cybersecurity in the medical device industry is no longer just an IT issue; it is a critical component of regulatory and quality compliance.
Many medical device startups and innovators mistakenly de-prioritize cybersecurity in favor of securing funding and product development, a risky approach that can lead to major setbacks.
Adopting a 'security-by-design' philosophy is crucial, meaning cybersecurity must be integrated from the concept phase and throughout the entire product development lifecycle.
Emerging technologies like AI carry significant risks in the safety-critical healthcare space and require extremely thorough vetting before implementation to prevent patient harm.
The FDA is increasing its scrutiny and legal enforcement of cybersecurity regulations, making compliance a necessity for getting and keeping a device on the market.
Legacy medical devices present a major challenge, as retrofitting them for modern security standards can be as resource-intensive as creating a new product.
For startups and smaller companies, engaging with external subject matter experts for regulatory, quality, and cybersecurity guidance on a fractional basis is a cost-effective strategy to avoid common pitfalls.
The process of bringing a medical device to market is complex and iterative; what is initially designed is rarely what is finally shipped due to evolving technical, regulatory, and security requirements.

Full episode transcript

Hello and welcome back to the Med Device Cyber Podcast. We have a very special guest today, Jim Goodmiller from over at BioBridges and today what we're going to be talking about is cybersecurity and how it blends in to regulatory and quality. I'll check in with you first, Jim. How are you doing today? Great, Trevor. Thanks for having me guys. Uh, excited to be here today. Awesome. Well, like I said, we're going to go into some cool stuff as far as cybersecurity and how it ties into regulatory, how it ties into quality. And I know Jim, that's a little bit more of your space is on that side of things with BioBridges. So why don't you tell us a little bit about yourself and a little bit about BioBridges on that front. Sure. Happy to. So, uh, Jim Goodmiller. I'm here in the Chicago area. So I've been, you know, within the consulting industry for the past 30 years. Um, and so I've worked, kind of, I've had a split personality where about 60% of my career has been focused on IT, technology, with about 40% in life sciences. And so I've kind of bounced around and seem to go between the two based on what's going on in the world. And so, but most recently, the last decade, it's been focused more towards the life sciences industry and, um, have been working with, uh, with lots of customers of all sizes, helping them kind of navigate all of the challenges and all of the, uh, adventures that are, uh, that are known in our industry. So, um, that's a little bit about me. But, uh, as far as BioBridges, uh, BioBridges has been around for over 20 years. Um, our headquarters is based in Raleigh, North Carolina. We really, you know, we like to say that that we work with companies to try to help them through their whole process from concept to commercialization by bringing in the right strategic consulting solutions, the right resources to help them accomplish their objectives. So, um, often times on a fractional basis, cuz many times that's where our clients need us to kind of plug in. Um, but we're kind of the, we tend to be the the organization that comes in, does some work and then gets out. So that's kind of our our approach. I think it's interesting you have, you said like a a split kind of personality, I don't know the term you used, but you have a little bit of IT background and life life sciences background. There's not a lot of people in life sciences from my experience that have an IT background. Yeah, it's it's really interesting. I mean, you know, when I look at the way the the world has evolved, I would have never thought back in the early '90s that technology coupled with life sciences would be as prevalent as it is today. Um, but, but, uh, certainly we're seeing that more and more each and every day. I don't know if you guys have ever heard there's this product out there called AI. So, you know, obviously we're seeing tremendous changes take place with AI and, um, and, you know, with within life sciences clearly, there's some incredible advantages that that will be, where AI will capitalize on that and help. So, uh, so yeah, it's kind of an interesting approach, you know, when I start looking at at how my world is kind of gone full circle. So, um, it it definitely is helping in today's market. Yeah, Trevor and I have been talking about AI quite a bit and I think when you're just talking about AI, there was a movie by Steven Spielberg, I think called "AI" that came out a really long time ago actually. Is is it relevant to today? Is it what, would I put it on and you feel like I'm watching history play out? It is relevant to from today. From what I recall it's about like an AI like, like kind of like human-like person that somebody falls in love with. Sounds more like it. Yes. There's yeah, there's quite a few stories like that, I guess but uh, it was it was quite some time ago, like right after, like not too long ago after E.T., so that that that era. But one of the things that we have talked about and I guess curious to get your opinion, Jim with regarding AI, I feel the life sciences or med tech industry is not ready for AI. Maybe on some specific use cases, but not in a generic sense or general sense. And what comes to mind is like this case that I know is being worked now where there's a wellness app that has AI enabled that does, you know, wellness, um, therapy basically. And with this app, the company that made this application, which is falls really under the umbrella of a medical device, is being sued because a suicidal patient that was using this app for therapy after two months, the app told the patient, well, you might as well go ahead and kill yourself. And the patient killed themselves. So the patient's family is suing the company that made this app.

1 / 10