Episode 40 · September 30, 2025 · 44m listen · 1,621 words · ~8 min read

Medical Device Startups and Cybersecurity Challenges with Suzy Engwall | Ep. 39 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 40 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

This episode of The Med Device Cyber Podcast features Suzy Engwall of Health Tech Strategies, who shares insights on the challenges faced by medical device startups, particularly concerning cybersecurity. Engwall, with her two decades of experience in healthcare innovation, highlights that while funding and market fit are primary concerns for startups, cybersecurity often gets overlooked until compliance becomes a hurdle for FDA approval. The discussion emphasizes the increasing scrutiny from hospitals regarding device security, often exceeding FDA requirements, especially for legacy devices. The conversation also delves into the complexities of product adoption in healthcare, including market nuances, internal politics, and the evolving role of AI in clinical decision-making. The guests debate shared liability in AI-driven diagnostics and the patient's awareness of AI use, underlining the critical need for early cybersecurity integration in product development, a risk-based approach to device security (especially for Class II and III devices), and clear communication of risks to all stakeholders, including patients. Engwall advises startups to engage with the FDA early to understand regulatory pathways and potential future claims. The episode underscores the never-ending cat-and-mouse game of cybersecurity and the importance of anticipating threats from the initial idea stage.

Key takeaways from this episode

Medical device startups often deprioritize cybersecurity, focusing instead on funding and market fit, leading to potential roadblocks during FDA approval.
Hospitals are increasingly implementing stringent cybersecurity requirements that often surpass FDA mandates, making it difficult for even recently developed devices to gain adoption if security was not baked in from the start.
The integration of AI in healthcare introduces complex questions of liability and accountability for diagnostic decisions, with a current industry trend toward labeling AI tools as 'clinical decision support' rather than 'diagnosis' to mitigate liability.
A risk-based approach is crucial for medical device cybersecurity, differentiating needs based on potential patient harm (e.g., Class I vs. Class II/III devices) rather than solely on data privacy or technical vulnerabilities.
Patients generally lack awareness and engagement regarding the cybersecurity risks of medical devices, often trusting their physicians without asking critical questions about the technology being used.
Startups should engage with the FDA early in the development cycle to understand regulatory requirements, especially concerning product claims and future iterations, to avoid compliance issues later on.

Full episode transcript

Hello and welcome back to the Med Device Cyber Podcast. Today we're going to be talking about how you can get your device to market, what you need to do, the things you need to think about, and how you can make sure you're not letting cybersecurity slow you down. I'm your co-host, Trevor Slatterie, and I'm joined by our co-host, Christian Espinosa. We also have a very special guest today, Suzy Engwall. I'll let you introduce yourself. Sure. Yeah, thank you guys so much for having me. Again, I'm Suzy. I have a small consulting company called Health Tech Strategies. I've been in healthcare for about 20 years now. I actually started in lean transformation inside of a hospital, which I did for about 10 years. And it was fantastic trying to make change in healthcare, but it was really hard to do with no money, no technology, no staff, and no time. So, I made my way over to the innovation side so that we could truly make some change about 10 years ago and never looked back. So, I've done everything from setting up innovation programs at hospitals to teaching human-centered design to clinicians and physicians, to mentoring advising startups, to working with investors, and everything kind of in between. So, I love this space. I'm very passionate about it. I have a little bit of an extra passion for pediatrics and women's health, but I'm happy to be here today. I think this topic is really interesting. I don't claim to know everything about cybersecurity, which is why I'm thankful for people like you, but I'm happy to be here today and to talk about this with you guys. Awesome. And you're coming to us from California. Is that right? Yep. Southern California. SoCal. I was born in Riverside, which is part of SoCal. Trevor is moving to California. It's kind of like, is it Central or Northern California? San Francisco Bay Area. That's kind of Northern. Northern. Yeah. Signed a lease as of Sunday. So. Oh, wow. That's huge. Yeah. Super excited. That is huge. That's an expensive area. Yeah, it's coming from Arizona though, which is getting more expensive because everyone from California is taking over Arizona, of course. And but you know, you don't have all the weather problems. In Arizona, it's either 120 degrees or 45, and there doesn't really seem to be any in between. So, well, Phoenix, it's always warm. Yeah, Phoenix, it's always warm. And you'll love San Francisco. The climate is fantastic. Although, you might get a little bit more rain than you're used to. Yeah, and pretty big medtech scene. It seems that I was already out there enough for conferences or events or this that or the other thing. So, save myself a flight once in a while. Yeah. Love it. Love it. I really like it up there. I think I'm in Orange County, so I'm SoCal, but it is a huge medtech scene, and there's always something to do every single night. If you want to go to any kind of an investor event, you'll find one free around every corner. So, it's a fantastic place to live in this industry, for sure. That's awesome. Isn't there like a SoCal and NorCal rivalry that goes on in California? You know what? I kind of feel like there is. It's weird though because when I talk to people from Northern California, I don't necessarily feel it, but I do think there's a little bit of that. Like, I think there's a little bit of NorCal envy down here in SoCal. You know, we have a great ecosystem, but we know that the ecosystem here doesn't get together as much, isn't probably as big, especially with the investor pool as maybe Northern California is. So, I think we have a little bit of envy. You know, a lot of times I have friends that are posting about all the fun medtech events they're going to and the investor events they're going to, and I'm like, darn it, it's a short flight, but I can't make it up there tonight. So, there's a lot of things that I feel like I miss out on by not being up in the Northern California region. So, for me, it's more of an envy than anything. You guys get way better weather though, so at least you have. It's true. Our weather is fantastic. You can. It's always the same, isn't it? It's like 75 and sunny. Yeah. Yeah. San Diego, I have to argue, has the best. And they have a really, really good ecosystem in San Diego, too. And you'd think it's not that far away. But, you know, going anywhere in California, it takes you forever to get there.

1 / 3