How Trump & RFK Jr Affect AI and Medical Device Cybersecurity Guidelines | Ep. 10

In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery from Blue Goat Cyber delve into the potential impacts of a new Trump administration, along with the influence of figures like Robert F. Kennedy Jr., on the medical device and MedTech cybersecurity landscape. The conversation begins with a lighthearted discussion about a non-FDA regulated wellness patch, which serves as a segue into the complexities and varying levels of governmental oversight in the health industry. The core of the episode centers on the conflicting potential policy directions. On one hand, the Trump administration is generally associated with a push for deregulation and increasing government efficiency by reducing bureaucratic overhead and staffing. On the other hand, figures like RFK Jr. advocate for making medical devices and drugs safer, which would likely necessitate more stringent and complex regulations. The hosts explore this juxtaposition, questioning how an administration could simultaneously reduce oversight while increasing safety requirements. They argue that this could create a challenging environment for medical device manufacturers, especially smaller startups. Tighter, more complex regulations, even with the goal of increased safety, often translate to longer and more expensive approval processes. This reality could inadvertently favor large, established companies that have the financial runway and dedicated regulatory teams to navigate these hurdles, while potentially stifling innovation from smaller, venture-backed startups that operate on tighter timelines and budgets. The conversation highlights that increased oversight and regulatory hurdles could lead to significant market delays, which startups can ill afford. Espinosa and Slattery also discuss specific rumored policy changes and their potential ramifications. A major point of concern is the proposal of imposing tariffs of up to 60% on goods imported from China. As a significant portion of medical device components are sourced from China, such a policy would drastically increase manufacturing costs, with the burden ultimately being passed on to healthcare providers and patients. Further, they touch upon the possibility of increased scrutiny on the entire supply chain, which, while beneficial for security, would add another layer of administrative complexity. The hosts also mention rumors about dismantling the Cyber Safety Review Board (CSRB) and the idea of splitting the FDA into specialized agencies for food, drugs, and devices. They conclude with practical advice for manufacturers: focus on getting regulatory submissions right the first time and adopt an agile, "early and often" product development strategy to adapt to potential market and regulatory shifts.

Christian: Hi, welcome back to the Med Device Cyber podcast. Today we're going to be talking about some of the changes that the new administration, the Trump administration and RFK Jr, some of these changes and how they affect the med-tech cybersecurity world. And there's going to be quite a few of impacts, I think, uh some positive and some negative. So I'm Christian Espinosa, I'm a co-host and we're here with Trevor, our other co-host. How's it going today, Trevor? Trevor: It's going pretty well. How are you doing today? Christian: I'm doing good. You know, I'm trying to like fix my vision. I'm sick of wearing these glasses. So I've been putting these like these little things on my back. It's supposed to like, I think it's largely BS. It's like a a patch that's supposedly uh reflects the light off your body back into your body to help your body like self-heal. I don't know how well it's working. It's called LifeWave X39. I've been doing it for a while but my vision doesn't seem to be getting any better. So it's supposed to fix your vision we'll see. But I noticed, I looked it up, these are not FDA regulated because they're non-invasive I think is why. It's just like, it's like putting a sticker on, you probably it's kind of stupid. I don't know. We'll see if it works. Trevor: Yeah, it kind of sounds like snake oil, but you never know. Christian: Well, it's uh sold by a MLM, a multi-level marketing organization, so I I generally think anything sold by an MLM is not legitimate, but that could just be, you know, a fake belief of mine. Trevor: I'm going to go back and say it's definitely snake oil now. Christian: Yeah. All right, so what um what do you think are some of the main changes we're going to have because of the new administration with medical devices and specifically medical device cybersecurity? Trevor: I think it's going to be interesting to see there are a lot of rumors floating around on what may happen or what may not happen. Um I think some of the big things that the Trump administration in general is pushing for is reduction of inefficiencies and trying to sort of minimize where possible. Um in regards to the FDA, the FDA has their hands in a lot of different areas and so it's a huge agency. Well, a huge agency from the impact, not from the actual size. And so I think there isn't too much more room to drive efficiency with, say, the workforce in the FDA. But a lot of the policies that they're trying to move forward are in an effort to drive efficiency. They want to see a little bit of reduction in some of the bureaucratic processes and a little bit more um, just a little bit more of a smooth process for someone trying to submit into the FDA for a drug or for a device. I think that from practice, it might be actually more complicated from a regulatory perspective, but I guess there's no way of really knowing until we see where it goes. Christian: So are you, are you saying that because the Trump administration is like, ironically, anti-government a little bit, they're trying to like cut the the chaff out of the government that we're going to have less oversight? Trevor: I think that's their intention, but there's a big drive for greater safety in medical devices and drugs, which inherently just leads to tighter and stricter regulations. Christian: So so, so I was thinking about this uh earlier. We've got Trump that and Musk, Elon that want to like make the government more efficient, but then we've got RFK that wants to make the devices safer, the drugs more safer. So how do we achieve efficiency when we cut, when we want to like cut the staff but also elevate, you know, cyber security and safety and all that? What what do you think about that juxtaposition? Trevor: I think that is the million dollar question and whoever figures that out figures out a lot of other problems as well. Um I know RFK has said some pretty out there things in the past about the FDA, even going so far as previously saying the FDA should be abolished. So there definitely has to be a middle ground between get rid of it all together and clamp down so much that nobody can get approved. If these regulations get tighter, my concern is that small manufacturers won't be able to get through. They won't have the runway, like a startup VC backed is going to start burning money trying to get regulatory approval. Where a big medical device company, they don't care if it takes them a year or two years or three years. They can keep on waiting. They have the money, they have that recurring revenue, so it's not as big of a concern to them. But again, it's still up in the air. I think um I think the next six months to a year will be a little bit more telling on exactly where that goes. Christian: Yeah, I think the delay to market or the if there is additional requirements, uh, that's going to make it much more difficult for startup like you mentioned because, you know, they're dependent on rounds of funding. The other thing I think is impactful is, you know, Trump wants to put I think up to 60% tariffs on China, and I think a lot of the components from medical devices come from China. So this is going to increase the cost of innovation and the cost of uh, you know, acquiring the device once it's on the market. Um, what do you think about that impact? You think that's that's actually going to happen or you think that's, you know, another one of these rumors? Trevor: I think that, you know, it's a lot of smoke and mirrors honestly, trying to just scare other countries into compliance. The same thing happened, you know, just the other day with Columbia where Trump was trying to send back, you know, deport people into Columbia. And when they were turned away, he threatened 25% tariffs and immediately that stopped. Christian: So you're you're saying these scare tactics are they're really just scare tactics. They're not actually like with China, this tariffs, you don't think they're going to happen? Trevor: I hope they're not going to happen. It's, you know, you look at just about anything in the room you're in and half of it probably says made in China. Christian: Yeah, but but from a make America great again perspective, if we impose tariffs on China, now we can make stuff that costs less than China, and people can buy American products. Isn't that the whole concept? So we can manufacture our own components for medical devices here. Isn't that the whole concept? Trevor: I don't think we can make them cheaper. And why is that? All the the minimum wage rules and stuff? Yeah, minimum wage rules and, you know, like worker protection laws and stuff, I don't think we can make them cheaper than China. It's just it's a different economy, stuff's cheap out there. Um and another big part of it is in the medical device scene specifically, China's the second largest market in the world next only to the US. And of course, China has a huge population, but US has tons of money. And so, and of course, uh a famous healthcare system around where that money goes. But I think from a manufacturing perspective, there's a reason everything is made in China. It's super cheap, it's super efficient over there. I don't think that we're seeing the innovation really for devices come out of China. We're seeing a lot of it from France, America, Brazil. Um, but I do think it's just gonna make things more expensive all around if those 60% tariffs do happen. Christian: I've also heard that they're going to try to scrutinize the supply chain, which, you know, some of the components come from China, and and this includes cybersecurity. So I guess this would be tightening the regulations as far as like making sure the components that make a device are safe and secure. And we kind of do that anyway. So I'm not really sure what would be different. And there might be some more administrative overhead, but from a testing perspective uh and software perspective, we already do that. So what do you think would might be may be different about that? Trevor: I think that's going to be a really interesting topic. So, you know, the the hot news right now is Deepseek and the new AI coming out of China. Um which is of course a security nightmare for just about anyone interacting with it. Since usually AI models are taking your information and feeding it back to somewhere so that they can get better. And, you know, the information war between America and China is nothing new and they just found a way to say, 'Hey, give us all of it willingly for free.' And people are, in fact, doing it. So, I think that, you know, an example like that where a Chinese component is widely used or a Chinese device is widely used, there are a lot of security concerns around it, and a lot of, you know, government officials are pretty uptight about that issue. So I think the supply chain is going to get a lot more scrutiny. Uh I know um just I believe it was in the past day or two, Trump started talking about a big tariff on semiconductors coming out of China, which is effectively every semiconductor. So Christian: Well I I live here we both live in Arizona. Um, right up the road, they're they're building the the world's largest semiconductor factory. I mean, it's owned by a Taiwanese company, I believe, but it's it's actually here. So the semi-conductor will be made here. I mean, I don't know if we're trying to increase the number made here or still most of them are going to be overseas. Trevor: I think if, you know, the US can get self-sufficiency around semiconductor production, then by all means, you know, let the tariffs happen because people are going to try to get them from China even if it's cheaper. And so the tariffs will sort of drive that into the American economy and also selfishly the Arizona economy. Christian: Well, that's the idea. I don't know if that fact the plant's open yet. They've been working on it for a long time. I used to live up there um, in an RV right by that plant. It's kind of the wild west up in that area. Trevor: Yeah, it is. Christian: People are selling like ammo and stuff on the side of the road, like homemade ammo. It's kind of crazy. Trevor: You drive down, you see an ammo van, and then right next to it, it's the beef jerky van, and then right next to it, it's the gold panning van. Christian: Yeah, exactly. Trevor: But yeah, I know that um they they have started production, they published their first yield results and it was competitive with Taiwanese factories. So it's a good sign for the plants in Phoenix. Christian: Oh, interesting. I didn't know that. Cool. And then I heard that the CSRB uh rumor, I don't know if it's true, it has been done away with. Is that, have you heard that as well? Trevor: Yeah, and that was sort of driven towards incident response and, you know, handling cybersecurity concerns like threat actors are nation-state actors, which is, you know, that's how a lot of problems in devices get identified is a breach will get identified in a certain component or like a network will get compromised, then an incident response team comes in to figure out how it got compromised, and they realize, oh, there was weird activity going on in this firewall, let's take a look at it. Oh, they exploited this brand new zero-day vulnerability in the firewall that nobody had seen before. And so this looks like the behavior of X threat group and we'll be able to, you know, provide this information out to the public so that everyone can be in general a little bit safer. Uh, taking away that ability from a government level is essentially going to throw everything into the hands of private incident response companies, which there are plenty of them and they're pretty skilled, but still, it's now becoming an nearly entirely privatized industry. Christian: Well, I think that's part of the initiative, right, to push stuff back to the private sector because the, I don't know, I used to work for DHS and the government and the government's not exactly great at doing a lot of these things. They're good at some things, but, you know, we we've had all of our hacking tools stolen from the NSA and used against us, for instance, you know, the NSA is supposed to be the experts in cyber security. Um, and I understand like the CSRB, you know, they're they're focused on industrial control systems and and tracking down the the actual criminals doing it. But then that brings us back to the point like with the Salt Typhoon attacks, you know, that took over several US telecommunications companies like those were tracked back to China, but what can we actually do about it? You know, we can't really do anything anyway if we try to figure out, oh, the attack came from China, what are we going to do? Trevor: It has to be a preventative measure. It can't be something that you try to, you know, say, oh, we found the guy who did it, let's go get him. You're not going to go get him in China. It's sanctioned over there. Same with Russia. It's sanctioned and legal. You can just do that thing. Christian: It's legal? Hacking's legal in China? Trevor: I know it is in Russia. I'm not actually sure it is in China. I think it's a little bit more of a gray area. But in Russia, Christian: But you get hacked, didn't you get hacked in China when you were over there? Trevor: Yeah, I mean, that's that's a whole other side of the coin though. I don't know if it's, you know, like, obviously the government can do whatever they want in China. I don't know if private companies can. I know in Russia, it's called postpaid penetration testing. Christian: And you get paid after you're successful? Trevor: Yeah, and it's just ransomware. Mm. And you know, the Russian government. Christian: So when you're in China, you think it was just, do you think you were targeted, um, because you work in cybersecurity or you think it would happen to anybody? Because you had your laptop hacked into and had a tracking device planted on you, didn't you? Trevor: I think it would just be anyone. You know, especially going to an event on healthcare and cybersecurity as the only American at the event, it's um a little bit of a notable distinction and you know, I was very clearly the odd one out. But I don't think. Christian: Well, you're like six foot four or something, aren't you? You're probably you're probably a foot taller than most people over there too. Trevor: Yeah, no, it's uh hey, I I'll never lose anyone in a crowd out there. That's for sure. Christian: Yeah. Trevor: But yeah, I mean it's just a different, it's, you know, there's there's so many controls, there's so much authoritarian just, you know, this and that going on over there. It's a different world. And so I don't think that they're necessarily like doing anything they can to just target America by any means and try to take down the enemy. I think that America is just not very good at cyber security. Christian: Yeah, I would agree with that. Uh, we've had pretty much everything stolen. Yeah, anything's stolen, everything gets hacked. I mean, comparing it to China, Russia, Israel, like these, those are sort of the really skilled countries in cyber security. They're doing really impressive stuff. America seems to fall behind at every turn. Trevor: So it sounds like, in your opinion, if I'm a large manufacturer, established manufacturer, maybe a publicly traded company with, you know, lots of uh, money, uh, then I shouldn't be too concerned about this regulations because I've got more runway to to innovate a product. But if I'm a startup that's relying on funds and getting this product to market as quickly as possible, you feel like there's some some potential delays going to happen because of more oversight. Is that is that summarize what you're saying earlier? Trevor: Pretty much. And so I think what a good takeaway is for the smaller manufacturers out there is get it right the first time. Um, which is, you know, of course, way easier said than done. But Christian: Are you gonna say your tagline? Trevor: Easier said than done. Yeah, that's about. Christian: No, the other one. What did you say? Trevor: Early and often. Christian: Early and often. Yeah. Trevor: Yeah, do everything early and often. So, you know, figure out what you need to do ahead of time. That should be step zero. What are the different regulatory hurdles that you need to jump through and how do you get ready for them? Um, you know, in cyber security, with clinicals, with biocompatibility, with every different aspect of a 510K submission, someone's going to leave some part to the end. Someone's going to forget something, something's going to slip through the cracks. It happens all the time and we see it, you know, constantly, especially with cyber security. So figuring out what is everything that's going to happen, talking to, you know, an established RA, someone who's done this before, knows what the regulations are and have them roadmap everything that you need to get done. And then doing it right the first time is really going to save a lot of time. You'll get through these regulations much quicker. You aren't going to have all this back and forth with the FDA that's going to cause a lot of delays. One other concern is the amount of manufacturing is only going up, but the staffing availability at the FDA is not going up. So having any sort of delays can cause weeks or months of review with the FDA and that's really pushing back your timeline. Christian: Yeah, that that that's a good point. And I guess preparing for that timeline and being aware of what the new regulations are is super important because then you can plan appropriately uh your budget, your timeline and everything else. And also maybe anticipate some delays from the FDA. uh getting the device through the through the um agency, especially I think at this time when things are changing, the the dust hasn't settled from, you know, Trump taking over and all these administrative changes. Trevor: Yep, and uh to bring back my tagline again, do everything early and often. Don't let it wait to the last minute. Um, Christian: Does that actually apply to everything? I know you're saying cybersecurity you do it early and often, but I don't know if that is actually applicable to everything. Trevor: I think that, you know, my philosophy on just manufacturing in general, try to get a product, you know, a lot of companies will spend years trying to refine and design this product before they have anything. Make something, get it through your clinicals, get a bunch of research done on it, get it approved with the FDA, and then you can work on refining it later. So build something early, and then, you know, you can make changes often to it, but try to get all of the regulatory hurdles out of the way as quickly as possible, and then you know the process, and making revisions is an easier process than just, you know, doing it the first time. So I don't think that Christian: I think it's not just that. It's you're talking about, you're advocating the MVP, the minimum viable product, but it's also once there's things you don't know until you get the product on the market, right? So if you if you get a one iteration of the market, then you get feedback from the market, and then you can make improvements versus trying to design everything into that device and some of the people, the end users may not even want that feature that you spend all this money on, right? Trevor: Exactly. And so the whole, you know, continuous R&D approach during development, it's, if you know what you're doing, like if you're Stryker or Medtronic or something and you've produced tons of these devices, you're worth, you know, billions of dollars. Okay, you know what works, you know what doesn't, make it perfect, and then get it through. But if you don't, just get something through. Get feedback from users. What do they want, what do they use, what do they not care about, and then refine your product. So, I think that doing something quickly is going to become especially more important with the new, you know, potential regulatory hurdles to jump through. Not even just from a cybersecurity perspective. If the regulatory process is getting more complex, it's going to be across the field. So finding a way to just get something out, get through it quickly, I think that it's going to be a way to get some money faster and preserve your runway a little bit longer. Christian: I agree 100%. I in my book I write about Kaizen, uh, which is the Japanese word that means continuous and never-ending improvement. Uh, but it it's it follows along the lines of the the minimum viable product because you want to get something out there and then get feedback and just constantly refine it. So I guess that ties exactly into what you're saying early and often. Uh, you know, I I guess I embrace that philosophy too pretty much in everything. More more than the continuous improvement philosophy, yeah. But you got to take the step and get feedback, take the next step and get feedback, you know, other otherwise people never take the first step and spend lots of money and never get the product launched or never make a change in their life, right? Trevor: Yeah, exactly. So just just build something. Just make something you have an idea, just make it. Go for it, but don't try to go back and forth and, oh, no, it needs to be perfect. It doesn't. It needs to get out there. It needs to get approved. Christian: Yeah, and that I I just think about what you're saying that some of the things that are overlooked cuz uh one of our partners uh specializes in like um human factors. You know, and and that's something that's it's very challenging. Like you you may think the screen should be designed this way or the instrument should be designed this way, and then you get it on the market with the MVP and you get feedback, well, it doesn't actually work the way you thought it would. The surgeon, you know, with the holding the instrument it it causes her arm to be in a weird angle. So, you know, there's there's all these things that I think the minimum viable product and getting that feedback is extremely important versus trying to get it all right the first time. Trevor: Yep. And no matter how much research you do, it is impossible to predict how a user is going to misuse your product. They will find a way. They always will. Christian: Well so will this so will the hackers and that's where we come in to protect the product, right? This there's abuse and misuse cases, right? And fuzz testing and trying to get the device to do something that is not intended to do from from a malicious perspective. That's what that's what, you know, penetration testing is really all about. Trevor: Oh yeah. Christian: Cool. All right, any um parting thoughts before we wrap up this episode? Trevor: No, I think we, you know, covered a covered a fair amount on some of the potential hurdles that might pop up. Um, I think that manufacturers, large and small, should just be aware of changes coming through. Changes are already happening all across the government, and it's unlikely that the FDA is going to be exempt from changes. So being aware that stuff might get shaken up and being flexible enough to respond is going to be really important in the coming years. Christian: Awesome. Well, thanks, Trevor. Uh thanks everyone for tuning in and we hope to see you on the next episode of the Med Device Cyber podcast.