¶ Intro / Opening
Welcome to the Global Medical Device Podcast, where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts and companies.
¶ Intro to guest Christian Espinosa and Blue Goat Cyber
Most medical device companies spend more time getting ready for audits than they do in the audit themselves. Greenlight Guru Quality organizes evidence by requirement, flags gaps, and keeps you ready so you don't have to get ready. See how Greenlight Guru Quality can help at www.greenlight.guru. Hey everyone, welcome back to the Global Medical Device Podcast. My name is Etienne Nichols. I'm the host for today's episode. And with me today...
To talk about cybersecurity and FDA regulatory compliance as cybersecurity relates to medical devices is Christian Espinosa, who is a leading cybersecurity expert, bestselling author, and the founder of Blue Goat. cyber blue goat cyber which is a company specializing
medical device security and FDA regulatory compliance. With a background in cybersecurity engineering and leadership, Christian has helped numerous medtech innovators navigate complex cybersecurity challenges while ensuring their devices are secure and FDA compliant.
the host of the MedDevice Cyber Podcast. We'll put a link in the show notes to that, where he educates manufacturers, cybersecurity professionals, and regulatory experts on the ever-evolving threats to medical devices. Christian is a veteran, a 24-time
24-time Ironman finisher. Did I get that right? That's correct, yeah. And a keynote speaker known for his work in cybersecurity leadership and high-performance coaching. So I feel like there's lots of things we could talk about, Christian. But first of all, how are you doing today?
I do it pretty good. Just got back from Dubai, a conference. I feel like I'm getting a little cold, but you know, this is what happens sometimes you travel in a plane for like 60 hours. I think it's about 30 hours door to door each direction. Amazing. How was Dubai anyway? I love Dubai. Dubai is like probably my favorite city in the world. I love Dubai. I really want to expand my company and get a presence over there.
I think they have a really good vision for the future. Things are very planned out. And it's very progressive and everyone's very collaborative. Yeah, it's awesome. So of all the cities, that's your favorite. Is there one particular thing that stands out or is it just what you already said? I think what I already said, and also the variety of things to do. They want to have the best and biggest of anywhere in the world.
So, like, they have a cool go-kart track I went on and drove on. I was going to do an F1 experience where you get to drive a Formula One car. Last time I was there, but it got canceled because there apparently is a mechanical problem with the car. But things like that, you can't just do anywhere, you know? So it's cool. Yeah. It's on my list. One of these days. When you get that, when you expand out there, maybe I can visit you for work purposes. That'd be good.
for sure if we're going to talk about cybersecurity threats oh and I didn't mention your two books that you've written as well I'll just throw those out as well I know you've written two books I have not read them myself personally. I was looking at them before the interview, but one on developing that emotional intelligence for those who are smart in the room, engineers.
suffer from the same thing. Sometimes I want to be the smartest person in the room. It's not always the best situation. But I don't know if you wanted to just touch on your two books before we get rolling. Yeah, sure. My first book is called the smartest person in the room. And it's really about my first company and my entrepreneurial journey with that company because I had a lot of challenges. And when I...
Pulled back the curtain. I realized that 99.9% of my challenges were because my staff lacked emotional intelligence. And in our industry, cybersecurity. Everybody wants to feel significant, but in our industry, people typically get their significance by being, you know, quote, smarter than somebody.
So this shows up with talking over somebody's head, waiting for an opportunity to tell someone they don't know what they're talking about, which results in poor client relations and poor collaboration. So I wrote that book to try to solve that challenge. Wow. I did solve it in my company, and what worked is what went into that book. Yeah, and that's... Okay, I have to ask now. How did you solve it in your company? I had to establish core values.
That was one thing. I used to think core values were kind of bogus, like integrity. Like everyone should have certain things, right? But I realized like the... Challenges I have with people are because there's a core value alignment problem. Like I believe in ownership, for instance. That's one of our core values. I believe in a growth mindset. So that's one of the core values. So I added those. And then I really worked hard to fix the culture.
So what I mean by that is once I established core values, I rated people on those core values. So it wasn't just how good they were at their job as the cultural fit. And some people I had to let go. And then when I hired new people. I hired them based on core value alignment first and emotional intelligence first. And only if they pass that, did I bother to look at their technical skills. Yeah.
you know, degree or certification or qualifications. In the past, though, I looked at the degree, qualification, certification, I looked at all that stuff first, and it kind of like didn't even bother with the other stuff. So I flipped the script on that. Was that scary? It was... I mean, let me clarify. I would think letting those people go seems like you knew it would work, I suppose, but it seems...
Well, as a leader of an organization, you have to enforce the culture you want to create. Otherwise, it drifts drastically, and pretty soon it'll be a toxic environment, especially if you have people that are always posturing. as the smartest person in the room and looking for ways to make other people feel small because they're not as rationally intelligent. And that's what I had. I had a couple of individuals like that that just did not want to change. Their ego was too...
¶ Why medical device cybersecurity is different from traditional IT security
aggressive, I guess. Yeah. I'm just impressed that you would say, okay, this is how we're going to fix this problem. And if you hit your historic way of doing it with this way, and you had some, sounds like some level of success doing that.
completely changing that seems seems like it would have been intimidating but that's impressive that you went for it and succeeded that's awesome well thanks yeah it was it was intimidating i had to do the work myself too because i realized that i had a lot of growth to do as well Yeah. Your second book, let's just go ahead and hit on it. Why not? The second book is, I got a copy right here, actually. I'm using it to hold on my mic. The second book is The In Between.
Life in the Micro, it's really a focused memoir about where I've got things right and where I've got them wrong. Because I have a tendency, I had a tendency, I still have a little bit of it, to get like super focused on a macro goal. the iron man triathlon or whatever it is like i have to accomplish this big thing and i would convince myself that that goal was so important that the things right in front of me like my relationship
was like secondary or my health was secondary or my finances were secondary. Like I just had these blinders on and would ignore things and things fell apart right in front of me because I didn't pay attention. So the book is about me kind of unraveling that. and realizing that I need to have a better balance. Because the reality is, if I would have paid more attention to the moments right in front of me, which I call the micro moments, some of those big goals I was going after.
I probably realized like, I don't really care about that goal as much anymore, but I got so like, I got to do this no matter what. Right. That was like my blinders and the, no matter what, you know. Unfortunately, a lot of those things became realized and relationships, like I said, fell apart and other things happened. So just striking that balance. Yeah, that's awesome. Well, we'll put links in the show notes to those if anyone's interested.
I suppose at some point we should talk about the topic that we wanted to talk about today, which is medical device and cybersecurity. And one of the things that I suppose I'd be interested in hearing your take on is what makes... medical device special when it comes to cybersecurity? I think there's this general, this misconception that cybersecurity is cybersecurity. Like, if you're a cybersecurity professional, you know everything about cybersecurity.
But it's very nuanced. And with like traditional cybersecurity, we're typically concerned about protecting information. Like we want to make sure your credit cards aren't stolen. Like with HIPAA, you're... you know, PHI, protected health information is not stolen. With medical device cybersecurity, it's like a little bit different lens. We certainly care about the information, but that's almost secondary to like, if we were to attack this device and compromise it.
What is the effect we could cause to a patient? If it's a surgical robot, can we, you know, paralyze a patient? If it's a laser acne treatment, can we burn the patient? If it's an in vitro diagnostic system, can we give a misdiagnosis or a false diagnosis or miss something like sepsis? So it's really not so much about the information disclosure, which is traditional cybersecurity. It's more about...
The lens of what harm can happen to a patient, which to me is much more severe, much more impactful because we're talking about people's lives. Yeah, that makes sense. And I can think of a few examples, maybe specifically, but I wonder if you have any specific examples that come to mind. Yeah, we've worked with probably 150 different devices over the years. And one of them we worked with...
And a lot of people don't think about these kind of devices, but it's used in a med spa and it's used to treat acne. So it has a laser that kind of burns the acne, but it has a cooling mechanism as well. We were able to hack into that device. turn off the cooling mechanism and turn up the laser. So if they actually treated somebody, it burned like the hell out of their skin, basically. But people don't think about like a medical device in a med spa used for acne treatment.
So that's one of them. Another one that we've worked on in vitro diagnostic systems where we were able to compromise the system and cause it to give a true negative or a false negative when there's actually a true positive result. So if somebody had sepsis and this device was supposed to show they had sepsis, it would say they did not have sepsis. And you know, with sepsis, your blood is toxic. Every minute counts. That patient could die.
been some pretty severe things we've looked at. Yeah. I know that medical or cybersecurity has changed over the last few years. Well, I say that. The FDA seems like they've ramped up some of the requirements for cybersecurity. There's a lot of things in the medical device industry where we say, well, you've got to start at this point. You've got to start at that point. Greenlight Guru is in quality management system pretty heavily, and we have certain ideas as to when you should...
start building that out. I'm curious when it comes to cybersecurity, is it something that you can go back and just kind of patch on top of? When should you start building cybersecurity into your medical device?
¶ Real-world hacking example: acne laser device turned skin-burner
You should start with the requirements and the design. Why is that funny? That makes sense. I'm like, well, that makes sense. Unfortunately. Most people wait until like a couple months before like a 510K or PMA or pre-market submission before they think about cybersecurity. Yeah. And they try to like bolt it on versus designing into the product.
And when they come to us to help them with the cybersecurity, if their submission is like 60 days away and they haven't done anything about cybersecurity, we know we're going to find thousands of vulnerabilities in some cases, which means... They have to fix all those vulnerabilities if they're critical rated or high rated before the FDA in the U.S. will approve their device. And this 99% of the time causes delays. And it causes a lot of...
over-budget challenges as well because they weren't prepared for this. So if they would make the design, the decision early on to engage someone like my company for cybersecurity, we could help. them steer away from these challenges later towards the submission. And a good example is we have one client that came to us at the very end, like 60 days typically before submission. They made a design decision to use a microcontroller.
on their device that did not support secure boot. The FDA requires secure boot. So their device, to get it approved, they had to basically turn off all the functionality and make it standalone. And they had this... this lte connection this you know cellular connection they had bluetooth they had all these things planned for this device but to get it approved because it would not support secure boot they had to disable all that stuff
And then the idea is that the next iteration, they'll swap out the microcontroller with one that actually supports secure boot. But we could have helped them navigate all this if they would have talked to us earlier on. Yeah, that makes total sense. I love that you, I mean, I know I laughed and it's not necessarily funny, but.
¶ FDA expectations post-September 2023: what changed
If cybersecurity is a requirement, it should totally start with the requirements. And I love that example in that the actual hardware is going to have to change in order to support the cybersecurity requirements. That's a really, that's a pretty powerful example. Yeah, and that's not a simple change, obviously. You know, I've heard and I don't, not being a cybersecurity guy or in that world.
I've heard some about the changes with FDA. Are there any above and beyond changes? You mentioned, you know, cybersecurity people think cybersecurity is just. cybersecurity anywhere. And you gave the examples about how it could hurt a patient, but what about the levels that FDA requires? Are there certain things that are kind of new to the medical device world or any thoughts there? I kind of feel like the med tech.
world was kind of the Wild West until the FDA really changed the requirements of September of 2023. And now to get something approved, you actually have to do a lot of cybersecurity work. You have to do... have the software build materials you have to do static application security testing penetration testing fuzz testing and risk assessment all this analysis you have you now have to do before
cybersecurity wasn't even really on the radar too much. The FDA said you should consider it, but it wasn't like enforced. So I think now it's caught a lot of people off guard because we have large clients that have 20 different products. Before, they would get the product through the FDA, no problem. And now, it's like they're getting rejected because all these challenges, they come to us as someone that can help them. They come to us and say,
We got this product and it got rejected and we don't know what to do because we thought we were doing cybersecurity right. And that's where we step in and they become our client and we help them with that. So it's really up the ante. And I think the bottom line is like.
As someone on my team always says, cybersecurity is like a necessary evil. Like nobody cares about it unless it's mandated. And now people have to do it, which I believe is a good thing, especially when we're talking about patient safety.
Yeah, I would agree with that. I was talking to somebody recently and they were just talking about the number of attacks on their website a day. And it's in the thousands and we just don't even bat an eye on that. Yeah, okay. But if you stop and think about that. Your website's being attacked that many times a day. And I don't know what it is for medical devices, but I mean, it should be something that we care about and if it's going to impact people we love. Yeah.
The challenge with medical devices, one of the other challenges is they're deployed in a healthcare delivery organizations network, like a hospital. And we consider... hospital networks, hostile networks from the perspective of a medical device, meaning that it's just assumed that the hospital network is already compromised, which means that that medical device is to be constantly under attack.
just like you mentioned with a web server, because there's already a threat actor on the environment in which you've placed a medical device. Wow. Yeah, that kind of blows my mind a little bit. So how do you...
¶ Secure boot: a microcontroller mistake that derailed a launch
Is there a difference in the approach when you have that hostile environment versus maybe another environment? No, we always assume that from a threat model perspective, that the device is going to be in a hostile environment. I mean, you can do some things like if the device requires physical access, but you still have to rely on...
the user of the device to put it in a room that nobody can just walk up to it, for instance. So you have to assume it's going to be your instructions are not going to be followed properly about how to set the device up. And it's just people are going to try to compromise it. Yeah. That's why with a medical device. We have to look at every entry point into the device. If there's a thumb drive port, a USB port, an HDMI port, Bluetooth, NFC, Wi-Fi, we have to try to attack every single way into it.
assuming that somebody will get access to that port. Yeah. With that weigh-in. Not every company is likely going to engage with a company like you're receiving, whether they should or not. But if and when they were, I'm curious what you would say. Because you talked about a company that they finally did become a client or whatever, and you have to go back and work on what they were originally working on. How would you advise companies to...
Move along from requirements to that submission level and to determine whether or not they need someone like you. What's the prep work that makes your life easier and makes the life easier of all cybersecurity experts? So we work with a fair number of startups and we have a service where it's like a block of hours for consulting. So we prefer they start with us for this block of hours, which is...
Not that much. We give them as many hours as we think. It's usually like less than $5,000. Yeah. And we can help them with those design decisions and the requirements such as picking the right microcontroller. And then later on when they're getting ready for their submission. Because we offer a full service submission package where we do all the documents and all the testing. We'll give them a discount on that submission package because we already know.
we're not going to have as many issues. It's going to be less work for us because we've helped them at the very beginning. So it actually saves them a lot of money if they engage with someone like us sooner than later. But cybersecurity is also an awareness problem. A lot of people just don't know what they don't know.
What's one cybersecurity mistake that medical device companies usually make that leads to delays or compliance issues in that submission? The biggest mistake that we have seen is... What I mentioned earlier, like I think if I'm a MedTech innovator, I think cybersecurity equals cybersecurity. So what often happens is the MedTech innovator company, the manufacturer will choose a traditional.
penetration testing cybersecurity company. So they'll run their traditional test, which doesn't meet the requirements for the FDA. So then the manufacturer will submit the report and everything, and the FDA kicks it all back and says, wait a minute, you didn't do this, this, this, this.
Your risk matrix doesn't consider patient harm. It doesn't look at exploitability. You know, there's all these things that are unique to medical device testing that traditional cybersecurity companies don't do. So then what happens? is that manufacturer, once they get all these deficiencies from the FDA, will reach out to us to address all the deficiencies. And we know what we're doing because we work with the FDA all the time.
¶ Common cybersecurity vendor mistake MedTech companies make
So I would say that's probably one of the biggest things we see all the time. We see deficiencies because a manufacturer chose a normal cybersecurity vendor, which doesn't really know anything about medical devices or regulatory affairs. or the FDA. And they did their best to test the device and provide reports, but it's not sufficient. Yeah. Interesting. One of the things that I remember being a big deal out of that.
2023 document or guidance from the industry was something about the s-bomb are there pieces of advice you'd give companies when they're building out their s-bombs s-bomb is for some reason been a controversial topic with our clients. The SBOM is the software build material. So if I create a product, I borrow bits of code and third-party libraries from other places to put into my product. But some of those third-party...
libraries or some of that code I borrow might have a vulnerability. And this has been demonstrated by like Shellshock and all these different attacks that affected many, many devices out there. The device manufacturer didn't even know that they had the vulnerability because they didn't understand that bill of materials. So the idea is to have a complete bill of materials for your device and to look at all the vulnerabilities on there.
And this bill of materials should be publicly available. Someone should be able to look at it because as a consumer, I should be able to see what other software makes up this product I'm buying. But a lot of manufacturers we deal with... They don't want to make that public. They think it's like someone can steal their source code or reverse engineer their code, but that's not true. The S-Bomb is just the libraries that make up your software that your software is composed of.
So the one issue is the vulnerabilities that are in those libraries and fixing those. The other issue is that a lot of people overlook is licensing. And this could be an actual bigger issue if you're concerned about intellectual property. But if you use a third-party library that you're not technically licensed to use, or the license agreement could say, at any point in time, if you use my library, I can ask you to...
make your closed source code open source, now that reveals somebody's intellectual property. So it's not just the vulnerabilities of the third-party library, it's also the liability and the vulnerability. that the company, by misusing or not fully understanding the license agreement, may have to disclose of their source code. Wow. Yeah. I never would have thought about the almost litigious nature of building out an S-bomb. That's really interesting. Yeah.
I, that's one of the things that I saw just, just from my, you know, lack of knowledge really from, from cybersecurity standpoint of evolving medical devices. requiring that s-bomb for a lot of companies for a lot of devices that may not have considered themselves a software medical device still required to build out an s-bomb because they did have that connectivity and so on well i i think
¶ SBOM: Software Bill of Materials and why it's legally critical
Like if I'm going to buy a car, I have a right to know who makes the brakes in the car, who makes the spark plugs. I have a right to know the bill of materials for the vehicle. And I think if I'm going to buy a medical device, I have that same right. Yeah. There's a whole push in the FDA to have transparency. So I can't have full transparency if I'm hiding all the components that make up my device that are open source, right? So we need to be able to disclose those.
Yeah, that makes sense. I mean, it's almost like the ingredients on a can of WD-40 or maybe a better example would be food that you eat. You want to know the ingredients. It doesn't mean you can actually recreate Louisiana hot sauce, but you want to know everything that's in there.
That's exactly right. It's a good analogy. What about the future of medical device? I mean, we've seen some of these changes in the last couple of years, and now we've seen this year administrative changes at the FDA level and so on, and the market seems to be a little bit in...
A little bit of turmoil regarding some of those things, but what about from a cybersecurity and FDA compliance standpoint? Do you see any movement or changes, maybe even from an AI standpoint? I'm curious what your thoughts are. Yeah, we see AI coming out more with devices. There's a lot of AI software as a medical device that do sort of image enhancement, like with ultrasound or MRI. Yeah.
What is a concern now is the model, the AI models and how they're being trained and how they're being protected. Like an IVD system, we've worked with some of those that have AI. If it's not trained properly, it can give misdiagnosis. So if you feed like an IVD system, you know, a million images of a cancerous tumor and a hundred of a non-cancerous tumor.
the model is going to be predisposed to say it's cancerous, right? So we just have to be very careful about how we train these models and where we get the data to train the models. And it opens up a whole can of worms too, because this data is not widely...
wildly available. Like in some countries, it's hard to get the data. So now I'm only training the model on data from people in the United States or data from people in Europe, right? So we can't accurately train a model without the right diverse data sets. But it's hard to get this intelligence from other countries when they don't have a system that shares the bacteria or the cancer diagnosis or the data on that. So it makes the models very biased at some point as well.
Yeah, it seems like you're almost compounding the knowledge that is necessary as well when you have to go those cross-cultural barriers. I'll use the example of maybe the blood.
blood oxygen sensor across different skin tones, for example, and how to determine that and to distinguish between those things. I mean, you're kind of laying on new requirements almost when you... really diversify across a broad spectrum i would expect i mean it's just kind of me trying to feel my way through that problem yeah it's that and then there's that's like how to
program the AI model and train it. But there's also, from a cybersecurity perspective, the different attacks on a model. You know, we can inject, we can throw tons of garbage data and it's going to throw garbage out or misdiagnosis. We can try to evade the model and get through it. So I mean, there's lots of different attacks as well. So it really is a complex layer that there are lots of benefits, but there's also lots of downsides if we don't manage it properly.
I am curious. This is me just following my curiosity. We talk about threats and we talk about all the different ways that things can be attacked. I never really talk about where these are coming from or what's being done about. that end i don't know if you'd be able to touch on that we can we can move on if you'd rather not but i'm just curious about that so there's there's two main two main categories one is a directed attack and one is a non-directed
Like 99% of the stuff that's going to hit a medical device is non-directed. That means it's malicious software propagating the internet, propagating the hostile hospital environment.
¶ Cyberattacks in hospitals: assuming a hostile network
And if it finds a vulnerability, it's going to latch onto it and install ransomware, do whatever the threat actor is trying to accomplish. So usually they're doing something to make money, which is ransomware typically. So that's non-directed. And that's just going all the time. Like I've stood up a server in AWS before, and then within like one minute, it's been hit like 8,000 times by people trying to break into it. And I just put it up there, right? So...
This is the magnitude of these attacks going on, and most people don't think about it, but it's like people are constantly trying to get into your car. You know, they're walking to the parking lot, checking every door. And if your door is unlocked, then they're going to get in your car, right?
So that's how it is times like a million in the cybersecurity world. We just don't see it because it's virtual. So that medical device that's deployed, it's going to be attacked over and over and over and over. And if it has a vulnerability, it's going to be compromised. So that's non-directed. The other one is directed. This is where a malicious actor is intentionally targeting somebody. An example of this was like Dick Cheney, the vice president quite some time ago.
He had a pacemaker and a defibrillator. There was a legitimate threat that someone could wirelessly connect to his defibrillator and shock him to death. So he had the wireless feature disabled on his pacemaker, but that was a nation state. directed attack against a specific target versus stuff just propagating the internet which is the non-directed attacks yeah wow that's interesting yeah
It's amazing to me how much there is out there, but I really like that example of someone go through the parking lot just checking every door and if yours is unlocked, I mean, it's going to happen. That makes sense. Where do you see medical device requirements or medical device cybersecurity requirements evolving?
like in the next five or 10 years? Any changes you see coming? Well, since the FDA has made the changes and other areas have followed, like MDR, I think the requirements are going to... improve from a cybersecurity perspective and the controls are going to improve. I still think, though, we're going to have the same challenges where people wait to the last minute. Because from my experience, and I've been doing this for like 30 years, is...
Software developers do not understand cybersecurity. And a lot of people assume that this technical developer understands security, but that is not the case. Maybe 1% of the... developers I've met understand cybersecurity. So until we solve that problem, which is further down at the root, we're going to continue to have this problem because the bottom line is software developers develop sloppy code from a security perspective, and it's not their...
job necessarily to break into their device. It's their job to build the device. But it's our job as penetration testers and hackers to break into the device and make it do things it wasn't intended to do. things that wasn't intended to do. Whereas the developer, their job is to make it do what it's supposed to do from a functionality perspective. So there's different skill sets. But until we close that gap, I think, you know, five years, 10 years down the road, nothing's going to change.
It's still going to be sloppy code from a security perspective, and people are going to wait to the very end. And then we come on and try to bolt cybersecurity onto something. I think we're slowly progressing where people actually consider cybersecurity at the design and the requirements.
point of view but you know i like i said i've been doing this for a while and this is like very slow changes yeah how do you how do you see like if i was a the owner of a medical device company and i have a software team they're working on it Outside of having a company come in and kind of go through and look at our requirements, add some of those requirements, evaluate some of the software-related hardware and firmware, what would be the answer to close that gap?
Besides just hiring a cybersecurity expert in, is there, well, maybe that's an option. What do you think would be the solution to close that gap if you could do anything? I think a solution to close the gap, if I am the person with the idea. and I'm outsourcing my product to be developed by someone, the solution is to ask them how they develop software. Ask them how they do their...
CI, CD pipeline and ask them if they do secure software development. And ask those questions at the beginning because the answer will probably surprise most people because the answer is typically they don't know what you're talking about when you say secure software development. If you can find a software development company that actually has a process where they develop the software, they test it for security, they develop it, test it, you know, like some iterative process where it's gated.
and it's a pipeline that has security built in, that's the company to choose to develop your software. So I think a lot of it is just having that awareness of what questions to ask because... Typically, if you ask a better question, you get a better answer, right? But often we don't know what question to ask. Yeah. Our audience is primarily composed of quality and regulatory professionals. And I wonder what advice you would give to them.
that they would benefit from knowing about cybersecurity when it comes to their roles in quality, whether it's... quality assurance, building out their quality management system, et cetera, and the regulatory professionals who are working directly with the product development, et cetera. What are the things that they need to know about cybersecurity that would make their lives easier and better?
We work with a lot of RAQAs as well. I think one of the things that needs to be understood is it's going to take much longer than you anticipate. Just like we're used to... Biocompatibility studies, animal studies, sterilization studies, all these other studies that take a long time. Cybersecurity should be linked in there, too, to take a long time. I think in the past, it was kind of an afterthought because it really wasn't enforced. But now...
I think if I was an RA or QA, I would want to make sure on my timeline for a submission, I consider cybersecurity going to take six months at least. Because the assumption is... Whoever we hire to do cybersecurity is going to find things that are broken, find vulnerabilities. And the longest part of this process for us is how long it takes the client to fix the things we identify. We have one client.
in europe that we found 6 000 vulnerabilities because they waited the last minute yeah it's been almost a year and they still haven't fixed those 6 000 things and they're getting frustrated they're like we're just going to submit it to the fda And they were like, you can do that, but it's going to get rejected because the FDA wants to see evidence that you've fixed the things and mitigated them. So if they would have started earlier, like in that.
requirements or design phase, we could have helped them ward off those 6,000 vulnerabilities, which doesn't sound like a big deal. But if you're a company trying to bring something to market and it's delayed for a year, your investors are going to get pissed off at you. Your time to market is...
dwindling and it's it's very costly right and in in some cases we had a couple companies that after we tested their stuff there were so many vulnerabilities they decided to abandon the project wow this is like this is like four years of work in someone's life and
And you forgot about this the last minute. Now you're just going to abandon the project. We're like, yeah, we can't afford to fix these things. Yeah. So it's a, I would say sooner than later, it's going to take a long time. And it is a bigger problem than most people realize. Could you kind of walk through the, when, I mean.
Ideally, you would have cybersecurity people working alongside the project the entire time. I almost look at it like you mentioned those sterility, biocompatibility, et cetera. You have to design that into the project. So, I mean, really, it's part of the product. And it's not just something you, I'm going to put in the requirements. I'll test it later. It's, I mean, it's part of the product. But that being said.
¶ AI in medical devices: data bias and cybersecurity challenges
Those are a little bit easier for me to understand. I put those into the product. We've chosen materials. I mean, microprocessor might be a good example, but we've chosen materials that are the biocompatible, et cetera. And we worked through the...
product testing and now we get to this other testing which is sterility biocompatibility would you equate it kind of similarly like now i put it in the hands of a for verification and validation or cyber security or what does that process actually look like The process is a little bit different than what you described. That's more, you have this block of time you work on sterility or biocompatibility. With cybersecurity, I think it needs to be iterative.
You have your team that's developing the software. At various points of that development, we should do the testing. That way we don't wait to the very end and find those 6,000 things. We might find 15 things. towards the beginning in an iteration of testing that we can have them fix those root issues and later the code is better next time we test it. So it should be an iterative approach.
versus a block of time when we do this one thing. And the iterative approach could be like once a quarter, our cybersecurity organization tests our software as it's being developed. And that'll ward off a lot of the challenges as well. Yeah, that's helpful. Okay, I'm glad I asked. Even though my example is wrong, I'm even more glad because of that. So that's great. What's one piece of advice that you give?
Medical device professionals ensuring cybersecurity and medical devices. Just one piece of advice. To give the medical device professionals? Yeah, as it relates to cybersecurity and so on. I think it's... I mean, medical device professionals is a big audience. If it's like an innovator or an investor, which are two of the biggest in the ecosystem that are bringing a product to market, I think it's extremely important to take ownership.
of cybersecurity. A lot of people just like to tune out when they hear cybersecurity. But if I tune out and don't pay attention and it's not on my timeline, it's not funded for, then it's going to cost me a lot of money and a lot of time. and maybe some embarrassment or whatever else. So I think taking ownership of it, it's no different than a small business owner. I think they should take ownership of cybersecurity, at least learning about it enough where you can make intelligent decisions.
Because a lot of people with small businesses tune out as well. Like, oh, I don't understand that. But just like you have to understand marketing or sales or insurance or human relations or HR, you probably should understand a little bit about cybersecurity. But people...
across every industry, tend to just tune out about it. I think that's largely related to what I wrote my first book about, where in the industry of cybersecurity, we've like overly complicated it with all these acronyms, all this. complicated frameworks, it's actually a lot simpler. The problem is most people don't know how to explain it in simple terms. So when we start talking to a cybersecurity person, it's like...
It's like at a cocktail party. Nobody wants to talk to that person because they're going to start talking this robot talk, as someone used to say. And it's like 12 sentences with all acronyms. And you're going to be like, I don't know what they just said, but I don't want to talk to that person anymore. We have to improve how we communicate in cybersecurity. But on the flip side, as a professional, we need to take some ownership and learn about it.
Not as much as we can, but enough to be effective at our decision making. Yeah. I think the medical device industry in general sort of shares that same issue that you described about the cocktail party. I mean, what? Why are we making this so complicated? It's their devices, but we have to make sure they're safe and effective. And that's the layer that is required.
Really good conversation. I appreciate you explaining all these things and putting up with me what I consider myself a layperson when it comes to cybersecurity. But you actually inspire me. I mean, I'm not going to lie. The analogy with the person walking through the...
parking lot, just checking every door is just really ringing true with me. So that's really maybe inspiring me a little bit to look more into it. Even where can people go to find you and what you're doing? They can go to my company page, blue goat, cyber.com. LinkedIn. LinkedIn's a good place. We have some content going out every single day. We have short videos going out every day. We started to talk about this.
when i visited your podcast but i don't know that i that you told me why blue goat cyber what's the what's the main name mean so i climb mountains i've done two of the seven summits there's the highest peak in every continent And when I climb mountains, I always see goats way up in the mountains and they're always trying to get to like the next level. And sometimes you see them on these very precarious cliffs. So I like the fact that they're very persistent.
They're agile. They're always trying to level up. Yeah. So I think those are good traits for a company. Goats are a little bit stubborn too. That might be a good trait for a company. I'm not sure. And then when I'm in the mountains, like the mountains are beautiful, like white snow in the blue sky. I find the blue sky very tranquil and peaceful in the mountains. So that's why blue goat. Yeah, no, I like it.
I've gotten the advice in the past that if you ever start to get overwhelmed or not understanding things anymore, just not sure which direction to go, get to a high place, puts things in better perspective. And I don't know if that's true for you, but I've found that to be true for me.
¶ Developers ≠ cybersecurity experts: the training gap nobody talks about
Yeah, I call that condor vision. In life, it's good to zoom out and look at your life from a bigger bird's eye view, really, and see where you are. And then you can maybe see the obstacles and get a different perspective on it. Yeah, 100%.
Well, maybe in another podcast on another topic, we could go into all these other things. These are interesting to me. So you seem like a wealth of experience and just really interesting. So really appreciate you taking the time to talk with us today, Christian. Yeah. Thanks so much for having me on, Etienne. Those of you who've been listening, thank you so much. And we will see you all next time. Take care.
Thanks for tuning in to the Global Medical Device Podcast. If you found value in today's conversation, please take a moment to rate, review, and subscribe on your favorite podcast platform. If you've got thoughts or questions, we'd love to hear from you. Email us at podcast at greenlight.guru.
Stay connected for more insights into the future of medtech innovation. And if you're ready to take your product development to the next level, visit us at www.greenlight.guru. Until next time, keep innovating and improving the quality of life.