Medical Device Startups and Cybersecurity Challenges with Suzy Engwall | Ep. 39

In this episode of The Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by Suzy Engwall, a seasoned healthcare innovation consultant from Healthtech Strategies, to discuss the critical challenges and strategies for getting a medical device to market. Suzy shares her extensive 20-year background in healthcare, which began with a decade in lean transformation inside hospitals before she pivoted to the innovation sector. Frustrated by the institutional inertia and lack of resources that hampered progress within hospital systems, she now dedicates her work to helping startups and innovators navigate the complex healthcare landscape. Her experience spans setting up hospital innovation programs, teaching human-centered design to clinicians, advising startups, and working with investors, giving her a holistic view of the industry. The core of the conversation revolves around the numerous hurdles that medtech startups face, with cybersecurity emerging as a significant but often overlooked roadblock. Suzy explains that while funding is the most obvious initial challenge, the journey is fraught with other complex issues like go-to-market strategy, regulatory compliance, and reimbursement. She emphasizes that many innovators, particularly those coming from outside the healthcare industry, fail to appreciate the nuances of market adoption. A staggering 93% of medtech startups fail, and a primary reason is a lack of product-market fit. This failure stems from not just creating a great product, but understanding the intricate politics of hospital procurement, the lengthy buying cycles, and how a new device impacts existing clinical workflows and financial incentives. For example, a physician champion might love a new technology, but if it's rejected by a value analysis committee or perceived to reduce billable visits, it will not be adopted. The discussion also highlights the evolving role of cybersecurity. It is no longer just about protecting patient data (HIPAA compliance), but also about ensuring patient safety from threats that could manipulate a device's functionality. The hosts and Suzy note that while the FDA has recently implemented stricter cybersecurity regulations, hospitals themselves are raising the bar even higher, creating their own stringent requirements before allowing a new device onto their network. This creates a challenging environment for manufacturers, especially those with legacy devices that were not designed with modern security in mind. The conversation touches on the integration of Artificial Intelligence (AI) into medical devices, which introduces another layer of complexity concerning liability, ethics, and patient transparency. Ultimately, the episode argues that for a medical device to succeed, innovators must address regulatory, clinical, financial, and cybersecurity considerations from the earliest stages of development, rather than treating them as afterthoughts.

Hello and welcome back to the Med Device Cyber Podcast. Today we're going to be talking about how you can get your device to market. What you need to do, the things you need to think about and how you can make sure you're not letting cyber security slow you down. I'm your co-host Trevor Slattery and I'm joined by our co-host Christian Espinosa. Uh, we also have a very special guest today, Suzy Engwall, I'll let you introduce yourself. Guest: Sure, yeah, thank you guys so much for having me. Um, again, I'm Suzy. Well, I, um, have a small consulting company called Healthtech Strategies. I've been in healthcare for about 20 years now. I actually started in lean transformation inside of a hospital which I did for about 10 years. And, um, it was fantastic trying to make change in healthcare, but it was really hard to do with no money, no technology, no staff and no time. Um, so I made my way over to the innovation side so that we could truly make some change um, about 10 years ago and never looked back. So I've done everything from setting up innovation programs at hospitals to teaching human center design to clinicians and physicians, to mentoring and advising startups, to working with investors, and everything kind of in between. So, I love the space. I'm very passionate about it. I have a little bit of an extra passion for pediatrics and women's health. Um, but I'm happy to be here today. I think this topic is really interesting. I don't claim to know everything about cyber security, which is why I'm thankful for people like you. Um, but I'm I'm happy to be here today and uh, to talk about this with you guys. Host: Awesome. And you're coming to us from California, is that right? Guest: Yep, Southern California. Host: SoCal. I was born in Riverside, which is part of SoCal. Trevor is moving to California. It's kind of like, is that Central or Northern California, San Francisco Bay area? That's kind of Northern. Host: Yeah. I signed a lease as of Sunday. So. Guest: Oh wow. That's huge. Host: Yeah, super excited. Guest: That is huge. That's an expensive area. Host: Yeah, it's uh coming from Arizona though, which is getting more expensive because everyone from California is taking over Arizona. Host: Of course. Host: And but, you know, you don't have all the weather problems. In Arizona, it's either 120 degrees or -5 and there doesn't really seem to be any in between, so. Host: Well, Phoenix is always warm, yeah. Host: Phoenix is always warm. Guest: And you'll you'll love San Francisco, the climate is fantastic. Although, you might get a little bit more rain than you're used to. Host: Yeah. And pretty big uh med tech scene. It seems that I was already out there enough for conferences or events or this that or the other things so save myself a flight once in a while. Guest: Yeah, love it, love it. I I really like it up there. I think, I'm I'm in Orange County, so I'm I'm SoCal, but, um, it is a huge med tech scene and there's always something to do every single night. If you want to go to any kind of an investor event, you'll find one free around every corner. So, it's fantastic place to live in this industry for sure. Host: It's awesome. Isn't there like a SoCal/NorCal, like rivalry that goes on in California? Guest: You know what, I kind of feel like there is. It's weird though 'cause when I talk to people from Northern California, I don't necessarily feel it, but I do think there's a little bit of that like, I I think there's a little bit of NorCal envy down here in SoCal. You know, we have a great ecosystem, but we know that the ecosystem here doesn't get together as much, isn't probably as big, especially with the investor pool, um as maybe Northern California is. So I think we, I have to say, I have a little bit of envy. You know, a lot of times I have friends that are posting about all the fun Medtech events they're going to and the investor events they're going to. I'm like, darn it, it's, it's a short flight, but I can't make it up there tonight. Um, so there's a lot of things that I feel like I missed out on by not being up in the Northern California region. So, for me, it's it's more of an envy than anything. Host: You guys get way better weather though, so at least you have that. Guest: That is true. Our weather is fantastic. You cannot… Host: It's always the same, isn't it? It's like 75 and and sunny. Guest: Yeah. Yeah. San Diego I have to argue has the best and they have a really, really good ecosystem in San Diego too and you'd think it's not that far away, but you know, it going anywhere in California, it takes you forever to get there. If it's a 15-mile drive, you got to times that by three and that's how long it's going to take you to get there. Host: Awesome. So, so I know you work with, uh, Suzy, with, with startups and kind of help them with a roadmap. What is, what are some of the biggest challenges that startups face from your perspective? Guest: You know, I mean, I think it's everything. It starts with funding really, right? How do we get funding for our project, how do we get funding for what we're moving forward in. Um but I mean even things from go to market strategy, regulatory reimbursement, um especially people that are coming in new to the market and trying to understand what are all the pieces of the puzzle that I need to put together and how do I put them together. Um and I think cyber security when, you know, since this is kind of our topic today a little bit, is one that I don't think that startups think about as much as they should. Um and it is a challenge because it's something that for certain products you're going to have to have it for FDA approval and things like that. Um but unless there's compliance around it, sometimes it can be a bit daunting or maybe it gets completely overlooked. Um, there are definitely multiple challenges in this space. Um, and it all kind of starts from idea stage on. So happy to talk about any one of those topics. There's, there's no shortage for sure. Host: Yeah, it's interesting because, uh, we talked to a lot of investors and one of the investors that I talked to said, out of his portfolio, 7% of companies succeed. So 93% fail in Medtech. Uh, why do you think the 93% fail? It's a pretty high number. I know like in, in business in general, startups fail, but that's a pretty high number. Guest: It is. And I I think a lot of it comes down to how hard it is to get a product adopted in healthcare. Um, market adoption is challenging. Buying cycle times are very lengthy. So even once you are able to kind of get into the hospital, sometimes it can take some time. I often see people that have issues where maybe they have like a great physician champion who's really kind of working the system to get them in and then it's been six months and they're waiting and waiting and it's close and then that physician leaves and goes somewhere else and all of a sudden everything just gets dropped and you kind of have to start over. So there's instance like that that happen. Um, sometimes I think it's a lack of product market fit. I mean, most of the time it's a lack of product market fit, right? Not understanding where your product should really be placed within the ecosystem and not really. Host: Isn't it that step one though? Like knowing who's going to consume it, how are people gonna pay for it. Isn't that like kind of like step one? Guest: It is, but even when you think like, hey, I have a great product. So, I'll kind of give an example here. Like sometimes you can have the best thing since Sliced Bread that's really going to help a patient out, the physicians like it, the patients like it. But then it does something like, uh, either like call out a certain segment of caregivers. Like maybe it's, maybe it's somehow accidentally showcasing what nurses aren't doing right and then you get pushback from the nursing population. Or maybe it's going to interfere with a physician. Like, I actually have had a physician say out loud about a product, I will not say who because I'm not going to throw anybody under the bus. Um, you know, this product is great, but it's going to cost me billable visits, so I probably won't adopt it. And I love the level of honesty, but it also is a sad, a sad thing to hear. There's a lot of nuances, so even when you feel like you might have product market fit, you may not because there might be those little nuances that you maybe didn't think about early on. Host: That's interesting. I never thought about the nuances. But you're saying like the nurses might, if if a product highlights something they're not doing as great as they should, they're going to push back. So the product, even though it's solving a massive problem, is not going to get adopted because of a, basically politics. Guest: Yes. Yeah. So there are all kinds of internal politics. I actually had, um, marketing shoot down a product that we were going to work on for a company, for a hospital many years ago. Um, we had a, an idea that a clinician had come up with that they wanted to integrate into a hospital and we were kind of working with them to co-develop something. We got the green light from everybody and then we said, oh, let's do some PR around this, let's get marketing involved. And marketing came in and somebody in there didn't like it and it ended up shutting the whole thing down. So, luckily, we were still at the early stages. We weren't ready for market adoption yet. We were just actually going to create something. Um, but you never know who within a hospital or who within politics can kind of get in the way of these things moving forward. And so that's the, that's the challenging part and I see it every day. You know, I've got a product right now that, um, a physician wants in a hospital and it got shut down to the value analysis committee. So, there are these things called value analysis that, um, look at different products that are coming, and so we're trying to figure out why did value analysis not like it when it's passed value analysis with multiple other hospitals. So there's a lot of different, uh, places within an organization that these that market adoption can break down. And so it's, it's increasingly challenging to get a product in. and physician preference is not what it used to be. You know, 20 years ago, if if a physician said, I want this product, you had a high probability of getting it in or higher probability of getting it in and it's just not the same today. Host: I wonder why it's, I I understand all the politics and like this hospitals are owned by like a like a they're like owned by somebody else that owns like 50,000 or 50 hospitals in conjunction. So, I guess there's a lot of politics more than I thought about now now we're talking about it. And then, from a cybersecurity perspective, even though a product may pass the FDA in the United States or EU MDR, the hospitals are starting like to raise the bar. Yes. say, you can't bring your product to our hospital unless you've proven it's actually secure. And we don't really, you know, sometimes they don't think the FDA is scrutinizing the device enough. So they want more requirements on that device from a cyber security perspective. Guest: Yeah, you know, and I think that's a valid argument. I think they have to, I think they have to be over, they have to scrutinize it. They have to. Um, I mean, you're talking about people's lives that are at stake, right? So, if it was my hospital, I would want to make sure that you're kind of checking off all of those boxes. And then, you know, you've got to think about, there's a lot of nuances just within cyber security as well and things that people maybe don't consider and think about. And I know on one of your previous podcasts, you guys talked a lot about like, you know, data is one thing, but actually like, what if somebody hacks into a device, you know? Um, I know you guys did an article before on like the whole Homeland story about somebody hacking into a pacemaker and whether or not that would really be something that could happen. It absolutely can happen. And so, I think hospitals have to worry about these things. They got to worry about whether it's a device or even just a digital health app. They've got to worry about not only securing the patient's data, but also, you know, could this device or could this app be messed with in a way that could harm the patient or, you know, maybe even cause them death. Host: One thing we've seen come up as an even further increased challenge for some of these manufacturers is a manufacturer of an old device and by old, pretty much anything before September 2023 when all these cyber rules became enforced, we'll try to go and sell their device into Mayo Clinic for an example. And if you're working with the current FDA guidelines, you should have a pretty good baseline for security. You might need a few extra things. But before that, it was sort of the wild west. Nobody had anything for cyber security in their devices. So now when they're trying to sell fairly recent devices, you know, only two-year-old devices, into Mayo Clinic, they say you need all these cyber security requirements. All these hospitals have the same requirements. And then the manufacturer goes, "Oh, our device is physically incapable of this. We're going to have to go back and redesign it." And that under the regulatory lens, that's been a very hard topic to navigate how we're handling legacy devices. But I think the hospitals are finding a way to work it out themselves by just not allowing anything that doesn't meet those standards. Guest: Yeah. Yeah, I think you're right about that. And I think that it's one of those things that we all have to be cognizant of because, you know, you're talking about devices that aren't that old, but things are changing fast. Especially with AI, things are changing fast. And I don't know how we're going to keep up with it. I think, you know, we're already a little bit behind. And so, in another two years from now, maybe something that passes the bar today may not pass tomorrow. So, how do you stay on top of all of these things that are changing? And I don't, I don't pretend to have the answer to that. But I think it's something that we, that we really have to think about when we're creating some type of new device in healthcare for sure. Host: It's a never-ending cat and mouse game in cybersecurity. And I think it'll remain that way for pretty much forever. Yeah. Host: Who's the cat and who's the mouse? Guest: That's a good question. Host: I think that the cat, the mouse, mouse is, the mouse would be the bad guys. The cat would be the good guys. That's the way I think of it. Host: I think it's the opposite. Isn't it like the cat always trying to catch the mouse? Guest: That is true. Host: Yeah, the good guys are trying to catch the bad guys. The cat's, wait. Guest: I said the cats the good guys the first time, right? Host: Yeah. That's the way it is I think, yes. The mouse is the good guy and we're trying to defend our position from the cat. And using a cartoon, uh, irrelevant cartoon is really the best way to defend any position, right? Host: But, but the, the, if the cat is a bad guy, the cat's always going to win because, like I said in a previous episodes, we have like a thousand doors we have to make sure are locked and shut and secure, and if one of those is left open, the bad guy, or the cat can get through. Yeah. And it's, it's almost an impossible scenario to make sure everything is locked and secure from a cybersecurity lens. Guest: Yeah, I mean, I think if somebody wants to get through bad enough, they're going to do everything they can to find a way. And that's the challenge. It's how do you combat that, right? Because you can't get into the brains of everyone around you and how they're going to try and get through. So you just have to, you know, do the best you can to think of every possible scenario. Host: And that's what my team does at Blue Goat. We try to, we're ethical hackers. Uh, we we try to break into the device every possible way and then work with the manufacturer to secure it. I love it. But a lot of them, you know, talk about earlier is like these legacy devices or devices that got through before, they're totally insecure, in my perspective. Guest: Yes. Yeah, I think I think that's a good point and I think that's one of the things that, um, for folks, any, anybody that's working on a class two or class three device really needs to be cognizant of how it could impact that patient, what kind of harm it could cause to the patient and not just the data side of things. Um, and I I don't think it's thought about enough early on at least. Host: So the the you're saying Trevor that we should not just consider software and a interface but also like the class of the device because obviously like class two or class three are more risky. Host: 100%. It's got to be a risk-based approach. We'll look at, you know, we can't even just talk about the data. If you aren't handling PHI, PII, there is less risk. If you are, if your device is a smart blood pressure cuff and that gets hacked into, it's not connected to the internet. You can't use it for starting point for ransomware or anything. If that smart blood pressure cuff gets hacked into and it gives you a wrong reading for your blood pressure and they can just verify it with an old analog one, what's really the risk there? So, it's a sliding scale compared to if you have a pacemaker, an infusion pump, a surgical robot, something where the slightest misstep could kill a patient. And those there's got to be zero tolerance for any risks. So, it is a bit of a sliding scale. We're looking at what is the device doing, how is it doing it, you know, different things like that all have to go into consideration. So, it's not really a one size fits all assessment. And that's why when we're scoring risk, it's based on what can you do to the patient or their data, not based on what can you do to the technology, since that will be consistent, but the patient harm will not. Guest: Yeah, I think that's a really good point and I think that's one of the things that um, for folks, anybody that's working on a class two or class three device really needs to be cognizant of how it could impact that patient, what kind of harm it could cause to the patient and not just the data side of things. Um, and I I I don't know that it's thought about enough early on at least. Host: Yeah, and ironically, with cybersecurity, nobody really cares about it unless there's a compliance driver, which there is now, the FDA and EU MDR and other organizations like mandate cybersecurity. But people still don't think about it to the very end. And the FDA, as a example, wants you to develop a product with security in mind from the beginning. So, like, waiting to the very end is doesn't work anymore. So we're trying to raise that awareness. But I I understand like if I'm an innovator, cyber security, like is the last thing I probably consider like you said Suzy because I'm trying to get funding. I'm trying to like prove my market fit. I'm trying to like get investors, you know, it's all these other things that are top of mind and cyber security is like the last thing, but yet, it might be the thing that roadblocks me from getting my device approved. Guest: Yeah, and I think I think there's a really good point. I do think a lot of like in early development, people are thinking about hip compliance and maybe they're thinking about protecting data. But they're not thinking about all the other things that could happen. And I think that's where the challenge kind of comes in because it's really like, okay, I've got to be hip compliant, I've got to protect my data. I've got to have enough cyber security that my data is protected. But what but what if there's other ways that they could get in and cause harm? And I think that's that's one of the challenges and how do we get people to think about it earlier? I know for me, um, I'm trying to have this conversation with startups earlier and earlier and I think the more I have conversations with people like you and the more you see presentations like the one that you that I've seen before, um, it does make me more aware of it so that I'm help hopefully advising and mentoring people in a much better way. But you're absolutely right. It unless until they get to the point where the FDA says I'm closing the door on this and most people are more busy trying to figure out how to not have to go through FDA or how to be FDA exempt than than what just comply. Host: What do you think Trevor? Are we getting better with uh the awareness? Host: Yeah, and I think the data privacy things are a really big thing that we have problems with all the time. I'll have conversations with people every week where they say we're not handling any sensitive data so why does this apply to us? I go it's not just about the data. There's more than that that can go wrong. What if your device is the starting point for a ransomware attack? But if you're using, you know, some critical class 3 device, an infusion pump with a vulnerability where you can cause a patient to overdose. There's a lot more than just goes into the data. And when you're looking at the FDA's definition of who has to comply with the FDC Act for cyber regulations, there's not a single mention of what type of device or what type of data. It looks at characteristics. Can you connect to the internet? Do you have software? Is that software potentially exposed to a cyber security threat? Uh, I think that last point is a little bit silly because it's pretty much impossible to have perfectly secure software. so kind of everything. Host: I think that number three is uh ridiculous, yeah. It says software and you have an interface. That's all you need, that's you need to get a cybersecurity, you know, otherwise the other the last point of the FDA cyber device is ridiculous in my opinion. Host: I've never seen someone meet the first two points and be able to prove they don't meet the third point ever. Host: Exactly, exactly. Host: So I think that's a good good point. Um, it's an interesting topic. Uh, so Suzy, like when you consult with a innovator, given like we talked about cyber security a little bit, like what do you even, does cyber security like even like come on the radar or like what is like, I know they're trying to get funding is like number one. Yes. And then like regulatory later, maybe cyber security at the end. Like what are some of the top concerns uh that you encounter? Guest: Of all of the topics that people ask me about, cyber security is probably the last one. Like out of out of 100 questions, I might get one about it. So, you're absolutely right. It's not top of mind for them. It's top of mind for them when they need to comply with something in order to get their product approved. So if they have to do something for FDA, if there's something that they have to do, outside of that, it's not. And I worry about some of these like, you know, tracking apps and things like that that maybe aren't FDA regulated at all that I'm just tracking my symptoms. But, you know, even if even if you're not promoting that that data is to be shared with your physician, people are taking that data and sharing it with a physician and physicians are making decisions on that. So if I really wanted to harm somebody, you know, what's to stop me from hacking into that app and changing the, you know, whatever whatever's in their tracker to change clinical decisions for to make make decisions differently from their physician. Um, that is something that could happen. So, you know, I think it's I think it's one of those things that has to be top of mine, and that's why I like that you're doing this podcast and making people aware of it. And when I saw your talk at LSI this year, I was like, wow, everybody needs to see this and everybody needs to hear this conversation because it is something that I'm probably asked about the least. Host: Yeah, and ironically, with cyber security, nobody really cares about it unless there's a compliance driver, which there is now, the FDA and EUDR and other organizations like mandate cyber security. But people still don't think about to the very end. And the FDA, as an example, wants you to develop a product with security in mind from the beginning. So, like waiting to the very end is doesn't work anymore. So we're trying to raise that awareness. But I understand like if I'm an innovator, cyber security like is the last thing I probably consider like you said Suzy because I'm trying to get funding. I'm trying to like prove my market fit. I'm trying to like get investors, you know, it's all these other things that are top of mind and cyber security is like the last thing, but yet, it might be the thing that roadblock me from getting my device approved. Guest: Yeah, and I think I think there's a really good point. I do think a lot of like in early development people are thinking about hip compliance and maybe they're thinking about protecting data. But they're not thinking about all the other things that could happen. And I think that's where the challenge kind of comes in because it's really like, okay, I've got to be hip compliant, I've got to protect my data. I've got to have enough cyber security to that my data's protected. But what but what if there's other ways that they can get in and cause harm? And I think that's that's one of the challenges and how do we get people to think about it earlier? I know for me, I'm trying to have this conversation with startups earlier and earlier and I think the more I have conversations with people like you and the more I see presentations like the one that you that I've seen before. Um, it does make me more aware of it so that I'm help hopefully advising and mentoring people in a much better way. But you're absolutely right. It unless until they get to the point where the FDA says I'm closing the door on this and most people are more busy trying to figure out how to not have to go through FDA or how to be FDA exempt than than what just comply. Host: What do you think, Trevor, are we getting better with the awareness? Host: Yeah, and I think the data privacy things are a really big thing that we have problems with all the time. I'll have conversations with people every week where they say we're not handling any sensitive data, so why does this apply to us? I go it's not just about the data. There's more than that that can go wrong. What if your device is the starting point for a ransomware attack. What if you're using some critical class device, an infusion pump with a vulnerability where you can cause a patient to overdose. There's a lot more that just goes into the data. And when you're looking at the FDA's definition of who has to comply with the FDN. The act for cyber regulations, there's not a single mention of what type of device or what type of data. It looks at characteristics. Can you connect to the internet? Do you have software? Is that software potentially exposed to a cyber security threat? I think that last point is a little bit silly because it's pretty much impossible to have perfectly secure software. Host: I think that number three is ridiculous, yeah. It says software and you have an interface. That's all you need, that's you need to like get a cyber security, you know, otherwise the other the last point of the FDA cyber device is ridiculous in my opinion. Host: I've never seen someone meet the first two points and be able to prove they don't meet the third point ever. Host: Exactly, exactly. Host: Yeah and the thing we talked about earlier is like these legacy devices or devices that got through before are totally insecure in my perspective. Guest: Well, it is, and I think, you know, a couple years ago, I was diagnosed or where I had six blood clots, and the doctor saw me for like 10 minutes and told me I had to take blood thinners for the rest of my life, and I like took agency over my own life because nobody could tell me why I got the blood clots. I personally think it was a COVID vaccine reason, but I decided not to take blood thinners and reclaim my health. But I think most people would probably just listen to that diagnosis after 10 minutes. AI or not involved, just like, you know, here's a diagnosis, and I think we need to, you know, society needs to evolve a little bit to take agency over their own health and think, okay, we've got AI, we have a decision, we have all these things, but ultimately it's my life and my decision about what I would decide to do, right? Guest: I think you're right. I mean, I think that's very true. And and even for even for myself, like when I go to my doctor, I pretty much take their word for what they're saying. Unless something just doesn't absolutely feel right to me, I'm going to believe what they're saying, I believe what they're telling me. And, um, you know, that's the hard part is, you know, how do we make sure that people are educated in understanding that they have options, understanding that they can get second opinions if they need to. But a lot of people don't even know how to navigate their insurance to do things like that. So it it snowballs into a whole other challenge, right? I know we're getting far away from the cyber security topic. Host: Well, it's okay. It's interesting interesting topic because I I wonder if people would actually listen to AI or a machine more than a human. You know, that's kind of like where we're at, what we're talking about. Guest: I think they would. and unfortunately, you know, you kind of brought up COVID and, and I think there's a little bit of distrust now going on, um, that maybe, that maybe the whole COVID pandemic made worse with people maybe not trusting everything their doctors say or maybe not trust people not trusting everything the pharmaceutical companies are telling us. And so, that may or may not be a good thing. Maybe it was going to help people take more agency over their care, which I think is a good thing. I think that's what we all should be doing like you did. Um, but it also could all could lead to other challenges where, you know, maybe we're not taking care of our health because we're not believing in our doctors when they're right. Host: And we're talking about like disclosing cyber security risks earlier. I think one of the challenges is uh, cause we we Trevor and I have talked about this in some previous episodes, like you mentioned the homeland episode and the Dick Cheney's uh defibrillator uh which was the wireless capability disabled. But if I am a patient and I have a implantable like a defibrillator and there are cyber security risks involved with it, do I actually like look at those risks and decide I want this implantable or like how do I, you know, analyze that and and what do I decide? Because that's kind of where we're evolving to. Even if I have a surgery and I have an autonomous surgical robot performing surgery and there's a risk associated with that robot, do I decide to have a autonomous robot perform the surgery or do I decide to have, you know, a physician manually do it? Like how how do people like make these decisions today given the the labeling of the risks? Guest: Well, it is, and I hate to say it, but I think the majority of people don't. Like they're gonna exactly they're gonna do exactly what we talked about. They're gonna trust what their physicians said. The physician says I need the surgery, they said robotic is the way to go. Um, and I don't know that they're going to ask about, if I unless you're highly educated, I don't know that you're going to ask about what cyber security challenge might you run into while you're doing this robotic surgery on me, right? Instead, you might ask like, oh, how trained are you? you know, what are the success rates, things like that, I don't think people are going to really think about that risk. And it is a risk that I think people need to think about. And most people nowadays are probably going to go say, hey, my doctor says I need this procedure and type it in chat GPT and say, what risk should I be worried about? So I'd be curious to know like what it would spit back out if it would even bring up the cyber security risk or not. Host: Yeah, I I do wonder if you're in a hospital and, you know, any device is presented to you, how many patients do you think have ever asked for labeling information for cybersecurity about the product? I would say maybe, maybe a fraction of a fraction of a fraction of a percent. It's in my mind mostly for the hospitals. The hospitals are the ones that should and do check these things very closely, but patients not so much. I think about it nobody's really that aware of cyber security. Nobody's super conscious of it. Once in a while it'll pop up in the news with the, you know, oil pipelines or the casino attacks or whatever it may be. But nobody's thinking about it actively. Especially not when they're thinking about their health care. They go, how good is my doctor? You know, how good is this robot? Is what's the success rate? Things like you said. So I don't think it's really at the front of many people's minds, mostly just the hospital, IT technicians. Host: If it's in the news like every single day pretty much, why are people not thinking about it? Like if I'm if I'm to get an implantable and it has wireless capability, I would certainly maybe just because I'm in cyber security, I would be concerned about somebody hacking into it. Guest: And my guess is you're seeing that news more than most people. I mean, unfortunately, we're kind of in a world where, you know, most people would rather look at their latest TikTok craze than me, than what's in the news. And I get it. Like there's many times I want to bury my head in the sand and don't want to know what's going on in the world because it can be depressing. Um, but I I do think that that that is a real challenge. And it so it's front of mind for you, but it's not for most people. And I think when it's not front of mind for you, it's something that you kind of ignore. It's kind of like that whole like when I was pregnant with my son, everyone around me was pregnant, right? And now I don't even notice people that are pregnant, right? At all. I never see I always think, oh I never see anybody that's pregnant, but I probably it was probably the same ratio back in the day. It just seemed like everyone was doing what I was doing because it was top of mind. And so I feel like unless it's something that you're really actively watching for in the news, you're probably not seeing about it or hearing about it. Host: I think it's also a bit of the mindset of, oh well that wouldn't happen to me, you know, that happens to the casinos, that happens to the banks. That doesn't happen to the hospitals. Even though hospitals are one of if not the largest target for cyber security attacks. So I think that's a big part of it and another part that doesn't always get discussed is often times healthcare is generally catered towards an aging population who are less conscious of these things for cyber security. They're not paying attention even if it's talking about it in the news. Host: You said it's an aging population? Like the majority of people that go to the hospital are like older people is what you're saying? Host: Healthcare in general is catered towards an aging population. That's why you see you go to any of these conferences and you hear them pitching why you should invest in Japan or Korea or China or any of these countries they're talking about the US's age growth, they're talking about everywhere's age growth. And you're going to lead into more health problems at that. And so a lot of the people who are most geared up for these services aren't aware of what the risks could be since it's just not front of mind. Guest: Yeah, I think I think that's very true and I think that it's one of those things that, you know, we're living longer than we ever have before and the longer you live, the more health problems you're going to have. And everybody right now, the big fad in the industry is to talk about longevity, to talk about, you know, how to make your life longer, how to extend life. Um, and so, you know, as we're living longer, of course, there's going to be more challenges, but you're right, I think the older we get, the further away from technology we start to get. Host: Yeah, we're yeah, we are relying on technology. Guest: Yes, yes, every single day. And that that's the interesting thing. I mean, but you know, when my dad passed away a few years ago, but before he passed, you know, he he was had some, you know, some forms of dementia and couldn't even use like an iPhone. Like he had a flip phone and I had to we had to write down instructions for how to make a phone call for him to look at. So, I do think once you start to have, you know, cognitive challenges when we get talk about like, you know, advanced staging, I think, you know, there's even less people that are going to ask questions and hopefully their family's advocating for them, but unfortunately, not everybody has family to advocate for them. Host: Yeah, it's a good it's a good point. Um, it's an interesting topic. Uh, so Suzy like when you consult with a innovator, given like we talked about cyber scary a little bit, like what do you even, does cyber scary like even like come on the radar or like what is like, I know they're trying to get funding. It's like number one. Yeah. And then like regulatory later, maybe cyber security at the end, like what are some of the top concerns that you encounter? Guest: Of all of the topics that people ask me about, cyber security is probably the last one. Like out of out of 100 questions, I might get one about it. So, you're absolutely right. It's not top of mind for them. It's top of mind for them when they need to comply with something in order to get their product approved. So if they have to do something for FDA, if there's something that they have to do, outside of that, it's not. And I worry about some of these like, you know, tracking apps and things like that that maybe aren't FDA regulated at all that I'm just tracking my symptoms. But you know, even if even if you're not promoting that that data is to be shared with your physician, people are taking that data and sharing it with a physician and physicians are making decisions on that. So if I really wanted to harm somebody, you know, what's to stop me from hacking into that app and changing the, you know, whatever, whatever's in their tracker to change clinical decisions for to make make decisions differently from their physician. Um that is something that could happen. So, you know, I think it's I think it's one of those things that has to be top of mind and that's why I like that you're doing this podcast and making people aware of it. And when I saw your talk at LSI this year I was like, wow everybody needs to see this and everybody needs to hear this conversation because it is something that I'm probably asked about the least. Host: Yeah, and ironically, with cyber security, nobody really cares about it unless there's a compliance driver, which there is now, the FDA and EUDR and other organizations like mandate cyber security. But people still don't think about it to the very end. And the FDA, as an example, wants you to develop a product with security in mind from the beginning. So, like waiting to the very end is doesn't work anymore. So we're trying to raise that awareness. But I understand like if I'm an innovator, cyber security, like is the last thing I probably consider like you said Suzy because I'm trying to get funding. I'm trying to like prove my market fit. I'm trying to like get investors, you know, it's all these other things that are top of mind and cyber security is like the last thing, but yet, it might be the thing that roadblocks me from getting my device approved. Guest: Yeah, and I think I think there's a really good point. I do think a lot of like in early development people are thinking about hip compliance and maybe they're thinking about protecting data. But they're not thinking about all the other things that could happen. and I think that's where the challenge kind of comes in because it's really like, okay, I've got to be hip compliant, I've got to protect my data. I've got to have enough cyber security that my data's protected. But what but what if there's other ways that they can get in and cause harm? And I think that's that's one of the challenges and how do we get people to think about it earlier? I know for me, I'm trying to have this conversation with startups earlier and earlier and I think the more I have conversations with people like you and the more I see presentations like the one that you that I've seen before, um, it does make me more aware of it so that I'm, help, hopefully advising and mentoring people in a much better way. But, you're absolutely right. It unless until they get to the point where the FDA says, I'm closing the door on this, and most people are more busy trying to figure out how to not have to go through FDA or how to be FDA exempt, than than what's just comply. Host: What do you think, Trevor? We getting better with uh the awareness? Host: Yeah, and I think the data privacy things are a really big thing that we have problems with all the time. I'll have conversations with people every week where they say we're not handling any sensitive data so why does this apply to us? I go it's not just about the data. There's more than that that can go wrong. What if your device is the starting point for a ransomware attack. What if you're using, you know, some critical class 3 device, an infusion pump with a vulnerability where you can cause a patient to overdose. There's a lot more than just goes into the data. And when you're looking at the FDA's definition of who has to comply with the FDNCA Act for cyber regulations, there's not a single mention of what type of device or what type of data. It looks at characteristics. Can you connect to the internet? Do you have software? Is that software potentially exposed to a cyber security threat? Uh, I think that last point is a little bit silly because it's pretty much impossible to have perfectly secured software. So, kind of everything. Host: I think that number three is uh ridiculous, yeah. It says software, in which you have a new interface. That's all you need, that's you need to get a cybersecurity, you know, otherwise the other the last point of the FDA cyber device is ridiculous in my opinion. Host: I've never seen someone meet the first two points and be able to prove they don't meet the third point ever. Host: Exactly, exactly. Host: Yeah and the thing we talked about earlier is like these legacy devices or devices that got through before, they're totally insecure in my perspective. Guest: It is, and I think, you know, a couple years ago, I was diagnosed or where I had six blood clots, and the doctor saw me for like 10 minutes and told me I had to take blood thinners for the rest of my life, and I like took agency over my own life because nobody could tell me why I got the blood clots. I personally think it was a COVID vaccine reason, but I decided not to take blood thinners and reclaim my health. But I think most people would probably just listen to that diagnosis after 10 minutes. AI or not involved, just like, you know, here's a diagnosis, and I think we need to, you know, society needs to evolve a little bit to take agency over their own health and think, okay, we've got AI, we have a position, we have all these things, but ultimately it's my life and my decision about what I would decide to do, right? Guest: I think you're right. I mean, I think that's very true. And and even for even for myself, like when I go to my doctor, I pretty much take their word for what they're saying. Unless something just doesn't absolutely feel right to me, I'm going to believe what they're saying, I believe what they're telling me. And, um, you know, that's the hard part is, you know, how do we make sure that people are educated in understanding that they have options, understanding that they can get second opinions if they need to. But a lot of people don't even know how to navigate their insurance to do things like that. So it it snowballs into a whole other challenge, right? I know we're getting far away from the cyber security topic. Host: Well, it's okay. It's interesting interesting topic because I I wonder if people would actually listen to AI or a machine more than a human. You know, that's kind of like where we're at, what we're talking about here. Guest: I think they would. and unfortunately, you know, you kind of brought up COVID and, and I think there's a little bit of distrust now going on, um, that maybe, that maybe the whole COVID pandemic made worse with people maybe not trusting everything their doctors say or maybe not trust people not trusting everything the pharmaceutical companies are telling us. And so, that may or may not be a good thing. Maybe it was going to help people take more agency over their care, which I think is a good thing. I think that's what we all should be doing like you did. Um, but it also could all could lead to other challenges where, you know, maybe we're not taking care of our health because we're not believing in our doctors when they're right. Host: And we're talking about like disclosing cyber security risks earlier. I think one of the challenges is uh, cause we we Trevor and I have talked about this in some previous episodes, like you mentioned the homeland episode and the Dick Cheney's uh defibrillator, uh which was the wireless capability disabled. But if I am a patient and I have a implantable like a defibrillator and there are cyber security risks involved with it, do I actually like look at those risks and decide I want this implantable or like how do I, you know, analyze that and and what do I decide? Because that's kind of where we're evolving to. Even if I have a surgery and I have an autonomous surgical robot performing surgery and there's a risk associated with that robot, do I decide to have a autonomous robot perform the surgery or do I decide to have, you know, a physician manually do it? Like how how do people like make these decisions today given the the labeling of the risks? Guest: Yeah, and you know, I I hate to say it, but I think the majority of people don't. Like they're going to exactly they're going to do exactly what we talked about. They're going to trust what their physicians said. The physician says I need the surgery, they said robotic is the way to go. Um, and I don't know that they're going to ask about, if I unless you're highly educated, I don't know that you're going to ask about what cyber security challenge might you run into while you're doing this robotic surgery on me, right? Instead, you might ask like, oh, how trained are you? you know, what are the success rates, things like that. I don't think people are going to really think about that risk. And it is a risk that I think people need to think about. And most people nowadays are probably going to go say, hey, my doctor says I need this procedure and type it in chat GPT and say, what risk should I be worried about? So I'd be curious to know like what it would spit back out if it would even bring up the cyber security risk or not. Host: Yeah, I I do wonder if you're in a hospital and, you know, any device is presented to you, how many patients do you think have ever asked for labeling information for cyber security about the product? I would say maybe maybe a fraction of a fraction of a fraction of a percent. It's in my mind mostly for the hospitals. The hospitals are the ones that should and do check these things very closely, but patients not so much. I think about it, nobody's really that aware of cyber security. Nobody's super conscious of it. Once in a while it'll pop up in the news with the, you know, oil pipelines or the casino attacks or whatever it may be. But nobody's thinking about it actively. Especially not when they're thinking about their health care. They go, how good is my doctor? you know, how good is this robot? Is what's the success rate? Things like you said. So I don't think it's really at the front of many people's minds, mostly just the hospital, IT technicians. Host: If it's in the news like every single day pretty much, why are people not thinking about it? Like if I'm if I'm to get an implantable and it has wireless capability, I would certainly maybe just because I'm in cyber security, I would be concerned about somebody hacking into it. Guest: And my guess is you're seeing that news more than most people. I mean, unfortunately, we're kind of in a world where, you know, most people would rather look at their latest TikTok than me, than what's in the news. And I get it. Like there's many times I want to bury my head in the sand and don't want to know what's going on in the world because it can be depressing. Um, but I I do think that that that is a real challenge. And it so it's front of mind for you, but it's not for most people. And I think when it's not front of mind for you, it's something that you kind of ignore. It's kind of like that whole like when I was pregnant with my son, everyone around me was pregnant, right? And now I don't even notice people that are pregnant, right? At all. I never see I always think, oh I never see anybody that's pregnant, but I probably it was probably the same ratio back in the day. It just seemed like everyone was doing what I was doing because it was top of mind. And so I feel like unless it's something that you're really actively watching for in the news, you're probably not seeing about it or hearing about it. Host: I think it's also a bit of the mindset of, oh well that wouldn't happen to me, you know, that happens to the casinos, that happens to the banks. That doesn't happen to the hospitals, even though hospitals are one of if not the largest target for cyber security attacks. So I think that's a big part of it and another part that doesn't always get discussed is often times healthcare is generally catered towards an aging population who are less conscious of these things for cyber security. They're not paying attention even if it's talking about it in the news. Host: You said aging population? Like the majority of people that go to the hospital are like older people is what you're saying? Host: Healthcare in general is catered towards an aging population. That's why you see you go to any of these conferences and you hear them pitching why you should invest in Japan or Korea or China or any of these countries they're talking about the US's age growth, they're talking about everywhere's age growth and you're gonna lead into more health problems at that. And so a lot of the people who are most geared up for these services aren't aware of what the risks could be since it's just not front of mind. Guest: Yeah, I think I think that's very true. And I think that it's one of those things that, you know, we're living longer than we ever have before and the longer you live, the more health problems you're going to have. And everybody right now, the big fad in the industry is to talk about longevity, to talk about, you know, how to make your life longer, how to extend life. Um, and so, you know, as we're living longer, of course, there's going to be more challenges, but you're right, I think the older we get, the further away from technology we start to get. Host: Yeah, we're yeah, we are relying on technology. Guest: Yes, yes, every single day. And that that's the interesting thing. I mean, but you know, when my dad passed away a few years ago, but before he passed, you know, he he was had some, you know, some forms of dementia and couldn't even use like an iPhone. Like he had a flip phone and I had to we had to write down instructions for how to make a phone call for him to look at. So, I do think once you start to have, you know, cognitive challenges when we've got to talk about like, you know, advanced aging, I think, you know, there's even less people that are going to ask questions and hopefully their family's advocating for them, but unfortunately, not everybody has family to advocate for them. Host: Hmm. Yeah, it's a good it's a good point. Um, it's an interesting topic. Uh, so Suzy, like when you consult with a innovator, given like we talked about cyber security a little bit, like what do you even, does cyber security like even like come on the radar or like what is like, I know they're trying to get funding is like number one. Yes. And then like regulatory later, maybe cyber security at the end. Like what are some of the top concerns uh that you encounter? Guest: Of all of the topics that people ask me about, cyber security is probably the last one. Like out of out of 100 questions, I might get one about it. So, you're absolutely right. It's not top of mind for them. It's top of mind for them when they need to comply with something in order to get their product approved. So if they have to do something for FDA, if there's something that they have to do, outside of that, it's not. And I worry about some of these like, you know, tracking apps and things like that that maybe aren't FDA regulated at all that I'm just tracking my symptoms. But, you know, even if even if you're not promoting that that data is to be shared with your physician, people are taking that data and sharing it with a physician and physicians are making decisions on that. So if I really wanted to harm somebody, you know, what's to stop me from hacking into that app and changing the, you know, whatever whatever's in their tracker to change clinical decisions for to make make decisions differently from their physician. Um that is something that could happen. So, you know, I think it's I think it's one of those things that has to be top of mine, and that's why I like that you're doing this podcast and making people aware of it. And when I saw your talk at LSI this year I was like, wow everybody needs to see this and everybody needs to hear this conversation because it is something that I'm probably asked about the least. Host: Yeah, and ironically, with cyber security, nobody really cares about it unless there's a compliance driver, which there is now, the FDA and EUDR and other organizations like mandate cyber security. But people still don't think about to the very end. And the FDA, as an example, wants you to develop a product with security in mind from the beginning. So, like waiting to the very end is doesn't work anymore. So we're trying to raise that awareness. But I understand like if I'm an innovator, cyber security, like is the last thing I probably consider like you said Suzy because I'm trying to get funding. I'm trying to like prove my market fit. I'm trying to like get investors, you know, it's all these other things that are top of mind and cyber security is like the last thing, but yet, it might be the thing that roadblocks me from getting my device approved. Guest: Yeah, and I think I think there's a really good point. I do think a lot of like in early development people are thinking about hip compliance and maybe they're thinking about protecting data. But they're not thinking about all the other things that could happen. And I think that's where the challenge kind of comes in because it's really like, okay, I've got to be hip compliant, I've got to protect my data. I've got to have enough cyber security that my data's protected. But what but what if there's other ways that they can get in and cause harm? And I think that's that's one of the challenges and how do we get people to think about it earlier? I know for me, I'm trying to have this conversation with startups earlier and earlier and I think the more I have conversations with people like you and the more you see presentations like the one that you that I've seen before. Um, it does make me more aware of it so that I'm, help, hopefully advising and mentoring people in a much better way. But you're absolutely right. It unless until they get to the point where the FDA says I'm closing the door on this and most people are more busy trying to figure out how to not have to go through FDA or how to be FDA exempt than than what just comply. Host: What do you think, Trevor? Are we getting better with the uh the awareness? Host: Yeah, and I think the data privacy things are a really big thing that we have problems with all the time. I'll have conversations with people every week where they say we're not handling any sensitive data so why does this apply to us? I go it's not just about the data. There's more than that that can go wrong. What if your device is the starting point for a ransomware attack. What if you're using, you know, some critical class three device, an infusion pump with a vulnerability where you can cause a patient to overdose. There's a lot more than just goes into the data. And when you're looking at the FDA's definition of who has to comply with the FDN. The act for cyber regulations there's not a single mention of what type of device or what type of data. It looks at characteristics. Can you connect to the internet? Do you have software? Is that software potentially exposed to a cyber security threat? I think that last point is a little bit silly because it's pretty much impossible to have perfectly secured software. So kind of everything. Host: I think that number three is uh ridiculous, yeah. It says software, in which you have an interface. That's all you need, that's you need to get a cybersecurity, you know, otherwise the other the last point of the FDA cyber device is ridiculous. my opinion. Host: I've never seen someone meet the first two points and be able to prove they don't meet the third point ever. Host: Exactly, exactly. Host: So the the you're you're saying Trevor that we should not just consider software and a interface but also like the class of the the device because obviously class two or class three are more risky. Host: 100%. It's got to be a risk-based approach. We'll look at, you know, we can't even just talk about the data. If you aren't handling PHI, PII, there is less risk. If you are, if your device is a smart blood pressure cuff and that gets hacked into, it's not connected to the internet. You can't use it for starting point for ransomware or anything. If that smart blood pressure cuff gets hacked into and it gives you a wrong reading for your blood pressure and they can just verify it with an old analog one. What's really the risk there. So it's a sliding scale compared to if you have a pacemaker and a fusion pump, a surgical robot, something where the slightest misstep could kill a patient. And those there's got to be zero tolerance for any risks. So it is a bit of a sliding scale. We're looking at what is the device doing. How is it doing it? You know, different things like that all have to go into consideration. So, it's not really a one size fits all assessment and that's why when we're scoring risk, it's based on what can you do to the patient or their data, not based on what can you do to the technology since that will be consistent, but the patient harm will not. Guest: Yeah, I think that's a really good point and I think that's one of the things that um, for folks, anybody that's working on a class two or class three device really needs to be cognizant of how it could impact that patient, what kind of harm it could cause to the patient and not just the data side of things. Um, and I I don't think it's thought about enough early on at least. Host: So if I'm a manufacturer, I would just say this is not a clinical decision support system. Yeah, but if to bypass like FDA and all the other requirements. Guest: I think and that's that's what some people try to do and I think that's where we have to be really careful. Um because if you're taking that data and decisions are being made, then all the sudden you it is being used as a clinical decision support tool. But if you're not marketing in that way and if you are basically making that claim like this is not to make decisions based on your health. I'm sure there's some kind of legal disclaimer verbage that you could put on your put on your product to ensure that you don't have to go through that FDA scrutiny but even if you make you know types of claims later on down the line or somebody says something about it that works for your company that's like, hey this doctor made this great decision because of our product. Now you're starting to cross that line, right? So it's it's a challenging area right now and I I do think there's definitely a great area here about what needs that extra level scrubbing and what doesn't. Host: Yeah, and I didn't think about that until this conversation because like that in body stand thing, uh, you know, my my physician at that clinic is making decisions on what to give me from a supplement perspective or hormone perspective based on the results of that device. So with that device need the same scrutiny as an implantable, you know, like as now we're talking about this, it's kind of I don't even know what the device is. It's just a scale, right? But it's a smart scale. But decisions are made based on the results from that scale and there's an app on my phone that tracks everything. Guest: Well, when you say scrotum, you mean FDA scrotum or other types of scrotum because it really depends on the claims that the manufacturer is making around that scale. So if this if the claims are just, I'm just giving you information to use personally and you can share it with your doctor or not share it with your doctor. We're not claiming to be clinical decision support tool. Then maybe, maybe the scrutiny is much less. And so I think you're kind of getting into this little bit of this gray area where, um, maybe things are being used as clinical decision support and so they're not marketed or branded that way. And so maybe they don't have to have the same level of FDA approval. Uh maybe they're FDA exempt um because they they aren't making those claims. Um so it's really like how are they how is a company positioning in marketing it that really kind of makes the FDA decisions around what how they're scrutinizing it. So it's it's hard because there is definitely a great area there. I think anybody that's using an app or any type of device to track any of their health measurements is probably reporting that to their doctor and getting advice back on it and the doctor's using that to make some clinical decisions. But there's plenty of things out there that are trackers or they're that are doing exactly what you're talking about that are not not considered clinical decision support tools.