Episode 20 · May 6, 2025 · 45m listen · 6,286 words · ~31 min read

Data Protection in Medical Devices: A Deep Dive with Kevin Derr | Ep. 19 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 20 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery welcome Kevin Derr, CEO of Neuronsphere, for a deep dive into data protection within the medical device industry. Derr, with over 20 years of experience, including significant roles at Stryker and Johnson & Johnson, discusses the unique challenges of securing medical device data and achieving regulatory compliance. He introduces Neuronsphere, a toolkit designed to empower engineers to develop data products and AI/ML algorithms for medical devices while maintaining compliance with cybersecurity and FDA regulations like ISO 27001 and 13485.The conversation highlights the critical importance of data ownership and control, contrasting Neuronsphere's approach with traditional SaaS solutions. The discussion also addresses common cybersecurity vulnerabilities such as misconfigured S3 buckets and the pervasive issue of insecure IoT devices in healthcare settings. Derr provides insights into the evolving landscape of FDA guidance, specifically the impact of recent regulations in shifting security considerations earlier into the New Product Development Process (NPDP). The episode offers vital perspectives for product security teams, regulatory leads, and engineers navigating the complex intersection of medical device innovation, data security, and regulatory adherence.

Key takeaways from this episode

Owning your data and running it within your own infrastructure, as offered by solutions like Neuronsphere, simplifies compliance and enhances security by removing third-party vendors from the trust chain.
The medical device industry, while progressing in cybersecurity, faces unique challenges due to the primary focus on patient safety and the historically slow pace of regulatory adoption compared to other sectors.
New FDA guidance, effective since late 2023, is crucial in accelerating the integration of security considerations and data management earlier into the New Product Development Process (NPDP).
Engineers often prioritize deadlines and functionality over secure coding practices, highlighting a need for continuous emphasis on security, structured frameworks, and awareness of common vulnerabilities like misconfigured S3 buckets and insecure IoT devices.
Hospital networks are often vulnerable due to human factors, such as shared or easily accessible passwords, making strong data protection and cybersecurity controls paramount, even for systems assumed to be inherently secure.
Architecting systems for compliance from the outset, rather than trying to retrofit security measures later in the development cycle, can save significant time and resources in achieving regulatory approval and maintaining a strong security posture.

Full episode transcript

Hi, welcome to the Med Device Cyber Podcast. I am your host, Christian Espinosa, along with our co-host, Trevor Slattery. Today, we have a guest, Kevin Derr, from Neuronsphere. Kevin, would you like to tell us a little bit about what you do at Neuronsphere and maybe a little bit about your background in the medtech industry? Yeah, sure. Good morning, Christian and Trevor. I have spent the last 20-some-odd years working with data, and in the last 16 or 17 years, I have been completely focused on the medical device area. I started at Stryker, moved on from there to Auris Surgical Robotics, which got acquired by Johnson & Johnson. Then we started Neuronsphere. When we started Neuronsphere, we decided, or we were trying to give a toolkit to engineers working in the medical device industry, which they could use to develop data products. I spent the previous ten years stringing together 15, 20, 25 different SaaS companies and systems to make a data platform, and all the challenges that come with that. Then one of my architects, a gentleman named Brian Green, came to me one day and said, "Hey, I think I figured out how to make this into a product and not make it so specific to a company." Thus was born Neuronsphere. In 2020, we broke out of J&J and started Neuronsphere. The idea is to give a toolkit to engineers to help them productize their data, develop new AI/ML algorithms for their medical devices, and get them out to those medical devices, staying compliant with both cybersecurity and FDA regulations. That is what Neuronsphere is. It is a toolkit. It straddles the line between SaaS and software. We do not deploy like a typical SaaS solution. That is pretty unique to a Neuronsphere deployment. You maintain ownership of your data throughout the lifecycle of your data platform with Neuronsphere. That does a number of things from a security perspective, right? It makes things like BAAs a little bit easier because it is one vendor out of the chain of trust, right? So that is what Neuronsphere is, in its shortest description: a toolkit for engineering teams to be able to make good data products, whether it is in R or in Python or in C++. The language is not so much of a concern to Neuronsphere because Neuronsphere is about keeping your AWS infrastructure in a state of control, doing things like spinning up resources automatically when you need them. The idea is to enable engineers to be compliant without having to slow down. A Neuronsphere install takes less than two weeks, and you can be up and running and exploring your data. Awesome. I think it is interesting that a lot of people who have kind of broken out and started their own organization in medtech came from one of these larger companies like Medtronic or Stryker, like you mentioned, or J&J. Trevor, from your perspective, we look at protecting the data with something like Neuronsphere. I am not sure how familiar you are with it, Trevor. What do you see as some of the cybersecurity challenges with data and kind of managing the data throughout its lifecycle? Well, the big one, which Kevin already kind of touched upon, is if you do not maintain ownership of that data, you do not have control of where it is. If you send that into like a hosting provider or something, they might not have the same sort of controls that you would want to implement on your data protection. So, having that control over your own data is, I think, a really important point to touch on. It is really good that you guys have a solution that makes sure that you know you are not just giving the data away to someone, they handle it a different way. That is probably one of the bigger concerns that we see from our clients trying to get through the whole cybersecurity process. They are a little bit afraid of, "Oh, well, who is getting this information?" Cybersecurity is a sensitive topic. We are giving you guys a lot of sensitive information to build out these packets. Where is it going? What is the FDA doing with it? What is that static testing tool you are doing? How is that taking our source code? So data management, data protection, and IP protection are at the forefront of everyone's mind, especially when they are coming up with a new product or working for a startup. So it is good to have some controls around that to protect it. Yeah, it is interesting. If I could jump in there with a little bit of a story. All of my career, whether it was Stryker, J&J, or Auris, one of the things that I struggled with as a purchaser, right, as a director of whatever I was directing at the point, even middleware back in the day when I was directing the middleware team, you always have this conversation as a medical device company with vendors. It starts out great. They have a solution, we have a problem, you know, the solution gets fixed with their, or the problem gets fixed with their solution.

1 / 8