Early Cyber Strategies for MedTech Trailblazers | Ep. 18

Hi, welcome back to the Med Device Cyber Podcast. Today we're talking about a very interesting topic: what early-stage startups in the MedTech innovation space should consider from a cybersecurity perspective. Often, cybersecurity is not considered until the very end, or right before submission, when it should be considered at the beginning because it causes a lot of delays, frustration, and headache, and maybe the product not even making it to market, if people wait until the very end. So, we're advocating people consider it at the beginning, and we're going to talk about why that's important today. I'm your host, Christian Espinosa, I'm the founder of Blue Goat, and I've got my co-host here, Trevor. How are you doing today, Trevor? Not too bad. Getting ready to get to some warmer weather, but doing good. Warmer weather. Where's that? In China. Warmer weather in China. It's not going to be super warm there, but warmer than here. All right, perfect, awesome. So, what do you think our, I guess let's just kind of back up a little bit. What do you think the challenge is? Like, how come people, like if I'm a founder, early stage MedTech innovator, how come I don't think about cybersecurity early on? Is this just an awareness problem, or it's just like it's not something that's on the road map typically, or what do you think the root issue is with this? I think there can be a ton of issues with it. Awareness is a big one. Often times, you know, MedTech companies don't even know that cybersecurity is really a requirement until it's too late. This is becoming better; I feel like awareness has started to increase. People are becoming more conscious of cybersecurity as a regulatory requirement, especially after the latest guidance in September of 2023. There's been enough time for people to start catching up. It's been, gosh, about a year and a half since then, so the awareness is starting to grow. It's when a company's starting a MedTech startup; MedTech startups are very expensive, and they're prone to fail. They're often on shoestring budgets trying to, you know, build a pretty impressive product that costs millions in research and development. And so, having all of this money that you're getting in from VC funding or wherever it is, it's often immediately tied up the second it hits the account. Cybersecurity can be a little bit expensive, so manufacturers try to push it to the back burner, and they forget about it altogether, which is not the best way to go about it. It's more expensive at the end than if you do it at the beginning. And then, I think that if someone's not involved in the cybersecurity world, if they're involved in the MedTech world or the startup world, they're excited to create a product, and they're following that startup mindset of "move fast and break things." Make a product, get it out there, get feedback, refine it. That's the Silicon Valley mindset; that's the startup mindset. That's what we see so many of these companies doing, and that can be a little bit of a crutch. I think it's great for innovation for products, but you're missing important steps. And then when it finally comes time to do your 510(k) submission, your RA consultant is making sure you have all your ducks in a row, all your boxes ticked, and they said, "Okay, where's your cybersecurity documentation?" And then people go, "Oh, no, we didn't do that." And that's when they have a problem because they've already moved too fast, and they already have their product, and they're going to need to go back and rework it. So, what's the, and that's what we experience the most. People wait till the very last minute to consider cybersecurity. But what is the real ramification of that? What's the impact to the Med innovator? So, the big thing is time to market is going to get cut pretty heavily. If you forget about cybersecurity, and God forbid you try to submit without any cybersecurity, you're going to get rejected by the FDA immediately, and you're going to enter a review cycle. So, you have a 180-day response window, and 180 days can be a little bit tight to do cybersecurity from the ground up, and so you may lose your submission window altogether. Now, if you include some cybersecurity, you try to cobble some stuff together, but it's not enough, you're still going to have to go back and refine it, work on it, and then get it back out. A functionality or a way that you're implementing a feature gets rejected as insecure by the FDA, and this is something that we've seen, especially in long development products. If a device is designed to do something in a certain way, then that functionality might be inherently insecure. The way that you're handling certificates, the way that you're connecting to EMR just inherently is bad design. Then the FDA is going to kick it back, and they say, "You can't design a feature like this. You have to rework this. You're going to go back, you need to do more research, more development, and another submission to the FDA." That's going to slash your time to market by even up to a year in a situation like that. And that's a year you could have spent selling your device, and B, you're going to have to spend a lot of money fixing that problem. Yeah, you bring up some good points, and we had one client, actually they did not become a client, they were a prospect. They developed their product, and they totally forgot about cybersecurity until the very end, and then they came to us and we gave them a quote, which was reasonable, I thought. And they looked at our quote, they assumed that we were going to find stuff, and they'd assumed how much it would cost for their developers to fix it, and they basically said, "You know what, we can't afford any of this. We don't have any more funding," and they abandoned this product. Which, you know, I can imagine how difficult it is if you've been developing something for like three to five years, or even longer, and all of a sudden you forgot about something. It ends up costing so much you have to abandon the project altogether. I mean, it's got to be a very frustrating scenario, but that's what they ended up doing. Yeah, and that can happen. MedTech startups are very prone to failure; it's a pretty volatile industry. It's a very expensive industry. Developing a product is extremely expensive. You can put together some software as a service product, and then try to put it out on the internet. You might spend, you know, ten thousand bucks on just marketing that product if you can develop it yourself. There