Episode 66 · April 10, 2026 · 41m listen · 935 words · ~5 min read

Who Owns Patient Data Security in Trials with Rob Bedford, CEO of Franklyn Health | Ep. 65 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 66 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

This episode of The Med Device Cyber Podcast features Rob Bedford, CEO of Franklyn Health, discussing the critical role of Contract Research Organizations (CROs) in medical device development. The conversation highlights the unique challenges faced by small MedTech startups, especially concerning budget constraints, speed to market, and the need for specialized expertise in clinical research. Rob explains how Franklyn Health caters specifically to these smaller entities, offering cost-effective and agile solutions for navigating clinical trials. The discussion delves into the phased approach of clinical studies, from preclinical animal studies to first-in-human and pivotal trials, emphasizing the distinct pathways for medical devices compared to pharmaceuticals. A significant portion of the episode is dedicated to the integration of cybersecurity in the product development lifecycle. The speakers stress the importance of "security by design," advocating for early consideration of cybersecurity to avoid costly and time-consuming retrofits. They explore the implications of design changes on clinical data validation and the potential for a "quicksand" effect if cybersecurity is not baked in from the outset. Further, the episode addresses the allocation of responsibility and accountability in data protection during clinical trials, clarifying the roles of manufacturers, CROs, and principal investigators. The FDA's Q-submission process is lauded as an underutilized resource for early feedback, and the challenges of patient enrollment and ensuring diversity in clinical trials are also explored. The episode concludes with a strong emphasis on early planning and a reverse-engineering approach to regulatory and commercialization strategies, particularly when aiming for global markets given varying cybersecurity and clinical trial requirements.

Key takeaways from this episode

Small MedTech startups face unique challenges in clinical trials, including budget limitations and the need for rapid development, making specialized CROs essential.
Integrating cybersecurity into medical devices from the initial design phase is crucial to prevent "quicksand" scenarios, where retrofitting security later can invalidate clinical data and significantly delay market entry.
Accountability for patient data security in clinical trials ultimately rests with the device manufacturer (sponsor), regardless of delegated responsibilities to CROs or clinical sites.
The FDA's Q-submission process is a valuable, and often underutilized, tool for gaining early feedback on regulatory and clinical strategies, significantly de-risking product development.
Planning ahead by understanding target markets and their respective regulatory and cybersecurity requirements (e.g., FDA requirements for US patient data in clinical trials) is vital for successful global commercialization.
Enrollment is the greatest challenge in clinical trials, especially for rare conditions, often requiring more sites and can lead to study failures if not addressed effectively.

Full episode transcript

The CRO will do your MedTech study, but it's not their priority. What must it be like for the small MedTech companies? You've got a very limited budget. Responsible is who's doing it, and accountable is essentially who takes the fall if something goes wrong. I did a bit of market research together with a few co-founders. We spoke to CEOs of MedTech companies, and they all said the same thing: we are just completely unheard. CROs don't care about us. You are accountable if things go well. You're accountable if things go wrong. From a cybersecurity perspective, if a manufacturer delegates somebody else to create their software and there's a problem with the software, the manufacturer is the one accountable as well. Welcome back to The Med Device Cyber Podcast. Today, we're going to talk about CROs, which are a very important part of the ecosystem for medical device manufacturers and an often misunderstood part of the ecosystem. There's a little bit of confusion if it's a contract research organization or a clinical research organization. We're going to get to the clarity on that. We have a guest here, Rob, with a CRO, a relatively new CRO. He started London, well, I guess Brighton, a little bit south of London. We have Trevor, our co-host here, coming from San Francisco as usual. You can tell by his background. I'm coming from Tempe, Arizona. I just got back from Korea and traveled for I don't know how many hours yesterday. I got up at 3:00 this morning and was a little bit jet-lagged. So welcome to the show, Rob. Maybe you could introduce yourself and tell us a little bit about what you do and what your motivation was for starting your organization. Yeah, thank you, Christian. It's a pleasure to be here. For those listening, Christian and I have met a couple of times. Most recently, we met in Dubai at WHX Dubai, and he invited me to be a guest on his podcast. I'm thrilled to be here. I'm the chief executive of Franklin Health. We are a contract research organization, sometimes called a clinical research organization, though I think it's a contract research organization. Is that the more common term? Because I've heard people use it both ways. Yeah, I mean, it's an all-encompassing term, because when you think about a CRO, I always think about organizations that do clinical trials, perhaps regulatory affairs, but it also encompasses other specialist organizations that maybe do testing or manufacturing support. So CRO is kind of a broad term in the space that we're in. You're cybersecurity, I'm in clinical research, contract research organization. CRO typically means supporting the clinical regulatory part of a medical device manufacturer's journey. Awesome. And I know you specialize in smaller startups, is that right? Yeah, that's right. From a CRO perspective, I can speculate, but I'd like to hear you say like what are the differences? What would a small startup need versus a large startup, and why are you specializing in the small ones? Yeah, it's a great question, and it gets to the heart of our mission and the foundations of our company. I started my career in academia. I was a neuroscientist, working on treatments for inherited forms of blindness, and that was my first journey into translational research. I loved it, the idea of helping patients, helping fellow man. I then took a job in the NHS as a clinical trials coordinator, so I was working with patients to explain what phase three trials were, what a placebo was, and what a randomized control trial was. It was probably the best job I ever had. You could see the hope in patients' eyes and what it really meant to be in a clinical trial, because often if you're in a clinical trial, you've not got many options available to you, and that's where I've dedicated my career ever since. To answer your question, I know I'm taking a long way to answer your question. I've always worked for large manufacturers, large Fortune 500 medical device manufacturers and diagnostics manufacturers, and I've outsourced lots of clinical studies to big CROs, to medium-sized CROs. It's clear, and everyone will agree in the MedTech industry, that the focus is on pharma because the budgets are much higher. A phase three oncology trial is orders of magnitude more expensive than medical device trials. The experience I had was okay, the CRO will do your MedTech study, but it's not their priority. I just always had this wonder in my mind: what must it be like for the small MedTech companies? You've got a very limited budget. You've got investors breathing down your neck. You've got a limited runway. So I did a bit of market research together with a few co-founders. We spoke to CEOs of MedTech companies, and they all said the same thing: we are just completely unheard. CROs don't care about us. And when we do work with a CRO, we're just not a priority because the priority is Medtronic Boston Scientific. So we started our organization to only work with this segment of the market.

1 / 2