Episode 59 · April 10, 2026 · 41m listen · 23,600 words · ~118 min read

Who Owns Patient Data Security in Trials with Rob Bedford, CEO of Franklyn Health | Ep.65 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 59 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

This episode of the MedDevice Cyber podcast, hosted by Christian Espinosa and Trevor Slattery of Blue Goat Cyber, features a detailed discussion with Rob Bedford, the co-founder and CEO of Franklyn Health, a Contract Research Organization (CRO) specializing in serving the medical technology (MedTech) sector. Rob Bedford shares his journey from being a neuroscientist and working within the NHS to identifying a critical gap in the clinical research market. He explains that his company was founded to address the specific needs of small and medium-sized MedTech companies, which he observed were often deprioritized by larger CROs in favor of more lucrative pharmaceutical clients. This lack of focus often left MedTech innovators feeling unheard and struggling with limited budgets and tight timelines. The core of the conversation revolves around the numerous challenges MedTech startups face on their path to commercialization and how a specialized CRO can assist. Rob highlights that for these smaller companies, efficiency in both cost and speed is paramount due to pressures from investors and limited financial runways. The podcast delves into the complexities of the clinical trial process, clarifying the distinction between pre-clinical (animal) studies and the different phases of clinical (human) studies, such as first-in-human feasibility trials and larger pivotal studies. A significant challenge discussed is patient enrollment, which is often the biggest hurdle in clinical research, requiring a delicate balance of finding patients who are both eligible based on strict criteria and willing to participate in trials for often untested technologies. The discussion also touches on the global nature of regulatory approvals, emphasizing that agencies like the FDA often require clinical data from a representative US patient population, meaning studies conducted solely in other regions may need to be supplemented or repeated. A recurring theme throughout the episode is the critical importance of early and holistic planning. The hosts and guest stress that key aspects like regulatory strategy, clinical trial design, and especially cybersecurity, cannot be afterthoughts. They advocate for a "security by design" approach, where cybersecurity is integrated from the very beginning of the product development lifecycle. The speakers warn that retrofitting security measures late in the process is not only more expensive and time-consuming but can also risk invalidating previous software validation and clinical data, potentially derailing the entire regulatory submission. The conversation also clarifies the distinction between responsibility and accountability, noting that while a manufacturer can delegate the responsibility for tasks like software development or clinical trials to a CRO, the ultimate accountability for the product's safety, efficacy, and security remains with the manufacturer.

Key takeaways from this episode

Small- and medium-sized MedTech companies are often a low priority for large Contract Research Organizations (CROs), which tend to focus on more profitable pharmaceutical clients.
The medical device manufacturer is always the accountable party for product safety and security, even if they delegate the responsibility for development or testing to a third party.
Early and strategic planning is critical for MedTech startups to manage limited budgets and accelerate their time to market, especially concerning clinical trials and regulatory strategy.
Patient enrollment is the most significant challenge in clinical research, as it requires finding individuals who meet strict eligibility criteria and are willing to participate.
Regulatory bodies like the FDA often require clinical data from their specific patient population, meaning research conducted abroad may need to be supplemented with local studies for market approval.
Implementing cybersecurity as an afterthought is a major risk; it is far more effective and less costly to follow a "security by design" principle from the start of product development.
Making significant software or hardware changes late in the development process can invalidate previous clinical data, potentially forcing a company to restart expensive trials.
There's a crucial difference between being responsible (the person doing the task) and accountable (the person who owns the outcome and takes the fall if something goes wrong).

Full episode transcript

CROs will do your Medtech study, but it's not their priority. What must it be like for the small Medtech companies? You know, you've got a very limited budget. Responsible is who's doing it, and accountable is essentially who takes the fall if something goes wrong. I did a bit of market research, and together with a few, a few co-founders, we spoke to CEOs of Medtech companies and they all said the same thing. We are just completely unheard. CROs don't care about us. Accountable if things go well, you're accountable if things go wrong. From a cybersecurity perspective, if a manufacturer delegates somebody else to create their software, and there's a problem with the software, the manufacturer is the one accountable as well. Hi, welcome back to the Med Device Cyber podcast. Today we're going to talk about CROs which are a very important part of the ecosystem for medical device manufacturers and an often misunderstood part of the ecosystem. There's a little bit of confusion if it's a contract research organization or a clinical research organization. So we're going to get to the clarity on that. We'll get to the point on that. Uh, we have a guest here Rob. He is with a CRO, um, relatively new CRO he started. London, or else, I guess Brighton, a little bit south of London. And we have Trevor, our co-host here. He's coming from San Francisco, as usual. You can tell by his background. I'm coming from Tempe, Arizona. I just got back from Korea. Traveled for I don't know how many hours yesterday. Got up at three this morning, so a little bit jet-lagged. So welcome to the show, Rob. Maybe you can introduce yourself and tell us a little about what you do and what's your motivation was for starting your organization. Rob: Yeah, thank you, Christian. It's a pleasure to be here. So for those listening, Christian and I have met a couple of times. Uh, most recently, we, uh, met in Dubai, um, at WHX Dubai. And, um, yeah, he invited me to be a guest of this podcast. So thrilled to be here. I'm the chief executive of Franklyn Health. We are a contract research organization. Um, sometimes called clinical research organization, though I think it's, uh, contract research organization. Christian: Is that, is that the more common term? Because I've heard people use it both ways. Rob: Yeah, I mean it's an all-encompassing term because when you think about a CRO, I always think about organizations that do clinical trials, uh, perhaps regulatory affairs, but it also encompasses other specialist organizations that maybe do testing or manufacturing support. So CRO is kind of a broad term. Um, in the space that we're in, uh, so you're in cybersecurity, I'm in clinical research, uh, contract research organization, CRO typically means supporting the clinical regulatory, um, part of a medical device manufacturer's journey. Christian: Awesome. And I know you, uh, specialize in, like, smaller startups. Is that right? Rob: Yep, that's right. Christian: And what, from a CRO perspective, I mean I could, I could speculate, but I'd like to hear you say, like, what are the differences, like a, a small startup, like what would they need versus a large startup, and why are you specializing in the small ones? Rob: Yeah, it's a great question, and it gets to the heart of our mission and the, the foundations of our company. So, I started my career in academia. Um, I was a, a neuroscientist, um, I was working on treatments for inherited forms of blindness. Um, and that was kind of my first journey into translational research and I loved it. The idea of helping patients, um, helping, uh, fellow man. And I then took a job in the NHS as a clinical trials coordinator. So, I was working with patients to explain what phase three trials were, what a placebo was, a randomized control trial. And it was probably the best job I ever had. And, um, you could see the hope in patients' eyes, and what it really meant to be in a clinical trial because often if you're in a clinical trial you've not got many options available to you. And that's where I've dedicated my career to ever since. So, um, I've always, to answer your question, I'm gonna, I'm taking a long way to answer your question. Um, I've always worked for large manufacturers, so I've worked for large Fortune 500 medical device manufacturers and diagnostics manufacturers. And I've outsourced lots of clinical studies to big CROs, to medium-sized CROs and it's clear, and everyone will agree in the medtech industry, that the focus is on pharma because the budgets are much higher. A phase three oncology trial is orders of magnitude more expensive than medical device trials.

1 / 28