Security Sells: Why Investors, Regulators, and Buyers Care About Your Cyber Game | LSI Europe '25

Christian Espinosa  0:00  
Morning everyone. I'm Chris Espinosa, the CEO of Blue goat cyber. I'm gonna have the rest of the panel introduce themselves, and we will talk about cyber security and how it can be turned into a differentiator versus a challenge for you. So you so can we go ahead, introduce yourself, Sean. I'll start with

Sean Lavin  0:23  
you Sure. I'm Sean Lavin from Alpha Lavin Advisors. I work with early stage companies, mainly on raising capital, but a lot of kind of building out the company and strategy and so so we look at this as well.

Claudia Holy  0:23  
My name is Claudia Holy. I'm CEO, Managing Director of Polymos, which is a Medtech marketing agency. We focus on how to clearly communicate the value of your technology at all stages in the commercialization. So this includes to investors, buyers at all stages.

Christian Espinosa  0:51  
Awesome. So today is going to be interesting, because we're going to get the perspective of cyber security through an investor lens, messaging and marketing lens, as well as regulatory which is where my organization falls in. And today, one of the challenges is cyber security is no longer optional. It's a requirement, and a lot of med tech innovators are still kind of like the hard way, figuring out that it's now a requirement, but it's no longer optional, and it can be a deal killer. A lot of investors have been burned because the innovator forgot about cybersecurity the very end. And it's also something that is not just required by the FDA or MDR. A lot of hospitals and healthcare delivering organizations are demanding cybersecurity as well. So when it comes to marketing and messaging and figure out the roadmap, it's important to reverse engineer, because the FDA, for instance, the United States, or MDR here is like the minimum bar. But as you know, pretty much every major healthcare organization has been hacked and compromised, and there's been a big data data breach. So they're becoming very sensitive about what types of devices can we put on their environment. And one of the biggest points of confusion from Blue goat cybers perspective is what constitutes cybersecurity? What is cyber security overall, and what is a cyber device like? What types of medical devices require cyber security? So for the first question, what is cyber security? It's really about reducing the risk of somebody hacking into either intentionally or unintentionally, into a medical device and causing harm to a patient. A lot of the attacks today that propagate the internet may just land on a medical device through the hospital network. So we want to make sure that that device is protected and it can't be attacked in a way that can affect patient harm. And then the other aspect to that is like, what is a cyber device? This is where a lot of organizations wonder, Is my device applicable to cyber security? A cyber device to make it's very simple. It has software and there's some sort of interface. The confusing part comes into the interface, even if, as a USB port that is considered an interface that could be used to connect to the internet, because I could easily plug a wireless adapter into that USB port. So first off, let's start with a Sean and get some perspective from an investor lens, as you've seen the industry for quite some time, is cyber security starting to become a concern for investors, or are we still kind of behind in terms of cyber security?

Sean Lavin  3:50  
I think, think both. I mean, I think honestly, it is, it is slowly becoming a concern. And I you know, if two years ago, it was 5% of companies thought about it in the startup world, it's probably 15 or 20% now, but it's still a long ways from from everybody looking at it. I think companies, companies learn about it kind of one of three ways. They either, you know, meet a company like this, or come to a session like this and learn this way, or they find out when the FDA pushes back on something they didn't do, which is not a great way to do it. Or they, or they even later stage, if they got through the FDA A while ago, and they go to sell product a hospital or hospital system says you you don't meet our requirements, or you need to make a change. And the latter two are, I believe, more specimen, so it will take a lot longer and interrupt plans, quite a bit more than than if you do it early.

Christian Espinosa  4:34  
Yeah, and it seems like, if I'm, if I win your shoes, I'm going to going to invest in a company that I would want to make sure that they reverse engineer to figure out who their end clients are they gonna sell to the healthcare delivery organizations. And did they design the right requirements, not just from a overall perspective, from cyber security perspective, into that product so it can be sold in that environment as well. Think you're right,

Sean Lavin  4:58  
and probably probably fourth. Where companies learn is, you know, investment funds invest in a lot of companies. So they, they, if one of their companies runs into an issue, they they spread that issue across all their companies. And so I think they are, the funds are looking at this more, and they, they do want to be able to sell into all environments. And it's not just a US hospital environment. So it's a worldwide environment over time. And that, I'm sure every every country in every area, is different. And, you know, I think one of the big question for companies is, as you start with, what is a what is a cyber device? I would have, I would guess that any company that's running an internet portal or some kind of AI driven thing is going to understand they have a cyber security issue. Somebody who's making a heart pump that plugs into a computer once a year, may may not, or probably doesn't, recognize they have a cyber security issue. And in the device world, we, you know, this kind of a digital health world, there's a device world. The device side, we have more of the companies that have the occasional plug in and and, you know, they probably don't think about as

Christian Espinosa  5:50  
much, yeah. And then I've talked to quite a few investors. I think there's still a little bit of a common I just investors of the industries, I should say, misunderstanding that cyber security is about protecting the data. But from our perspective being, that's what we do in the industry cyber security, the data is like secondary actually, really we're interested in protecting the patient, because if somebody can hack into a surgical robot performing surgery on someone's spine, we could paralyze that patient. If somebody can increase the flow rate on a drug infusion pump and somebody's doing morphine, we could cause them to overdose. If somebody could hack into a pacemaker or defibrillator, we could shock somebody to death, which you may have heard Dick Cheney had his wireless functional a long time ago, disabled, because there's legitimate threat somebody can shock them to death. So we look at it from the lens of, if somebody were able to break through this device, what is the impact to the patient, rather than from a hip up perspective or a phi perspective.

Sean Lavin  6:53  
And it's not an if. I mean, 10 to 15 years ago, one of the one of the very large med device companies had their pacemakers hacked, and it was, I mean, it was a problem for patients. Patients didn't, didn't know what to do they they knew there was a ability to change their pacing. It was a problem for investors. The stock went down somewhere between 10 and 20% and this is a multi billion dollar company, so that that was probably the thing that most med device CEOs or investors remember. And you know, it's a real life issue. I mean, what do you tell a patient, if their pacemaker, their ICD, is is potentially vulnerable and you don't should you take it out? Should you replace it? Should you do nothing? What is, what is a doctor say? You know,

Christian Espinosa  7:30  
that's an interesting dilemma, because if I'm a patient and I've got a recall on an implantable do I decide to go ahead and get it taken out or to accept the risk?

Sean Lavin  7:40  
Certainly was, I think every, every patient, every doctor, had a conversation about it. And some, some increased monitoring. Some, you know, some people have a pacemaker, if they, if it goes poorly, they have a decent pacing heart. Others, others are 100% a fatality if it were to start stop. And so I think in that situation, I imagine each physician had to, had to make decisions with each patient. And then there's also the issue of, can you, can you find that patient, right? I mean, a lot of these patients are older. They they may not use the internet the doctor, May, May, they may move. They may, they may see a different cardiologist. It's, it's, it's a real mess. And I would guess the majority of those patients had no idea they had a problem, right?

Christian Espinosa  8:18  
And Claudia, from your perspective, be the med tech and marketing and messaging. What is your view on how cyber security has shifted and and in terms of, like, how we market our product and how you make the right claims, like, what's your perspective?

Claudia Holy  8:34  
So I think, you know, we see this across all marketing. So whenever we're looking at marketing for medical devices, you know, it's really, as you say, reverse engineering things. So we see that cyber security becoming more important now. So actually, how do we understand what is important to the end user? And who are the end users who care about cyber security? So is it the investors? Is it the hospitals? And actually, what questions are they asking? Because that's then how we, you know, reverse engineer it to make sure that we're actually matching those claims as we go forward. And it comes down to a very simple sort of fundamental thing. You know, it is about what questions and what issues and concerns do your audience have, and actually, how can we address those issues and concerns? Because if we don't address them, we're going to end up with an issue down the regulatory pathway or down the adoption journey. So it's really important that we map these stakeholders out. But as I say, we see this. You know, it's coming up in cyber security now, and I think there is definitely a lack of understanding over what is a cyber device. So, you know, it's how do we actually increase the awareness of that so that more early stage companies are really doing the work early on and not incurring huge costs and time delays later on, because it hasn't been done. But I think the most important thing you know, it is about understanding where what questions you're going to get and what objections you're going to get, and you are now going to get them about cyber security and actually how you address them early on your development cycle.

Christian Espinosa  9:55  
Yeah. And that's an important point, the whole idea. The Cyber security is supposed to be designed into a device, versus bolted on at the end. Bolt you're not at the end becomes very costly. It causes delays. It frustrates investors. It makes the device less secure. So we're trying to, like part of Mike company's mission, is to raise the awareness that if you know you have a cyber device, you could should be designing cyber security into your product, versus trying to bolt it on at the end, when your regulatory affairs person says, what'd you do about cyber security? Like, oh, we forgot about it. That seems to happen fairly often.

Claudia Holy  10:32  
I think there's another point to this as well. It's also, how do you communicate that you have addressed the cyber security issues too? Because I think cyber security, you know, and we've recently spoken about this, and there's all this terminology that I don't understand and you know, and actually, so you know, why should I understand it? But also, a lot of the people you're speaking to don't understand it either. So how do we simplify it so that actually we can communicate in a really effective way that we have understood all these challenges and we have addressed them in the technology that we're bringing to market, you know, so that not only Well, whoever you need to talk to, actually you communicate effectively. So removing all jargon, keeping things simple, being really specific, you know, I think that's also what we need to do in cyber security when we're communicating, so that people actually understand it well. Because it is, it is a it's a growing area.

Sean Lavin  11:21  
I'd ask, you know, from the company that's building a heart pump, they're going to put 99% of their time into building that pump. What? What? What do they need to do on the cybersecurity side? So if they, if they plug that, if they plug that console into a computer or internet once a year, or once every six months, what, you know, what is the requirement that they need to meet. And how often does that requirement change? If they, if they meet it today, will, will they still meet it next year? Will it be different?

Christian Espinosa  11:46  
Yeah, well, it's, it's continuous, right? I mean, vulnerabilities change all the time, and one of the things we have to do for our clients is, once a device is on the market, it could have a vulnerability profile like we've accepted these low risk vulnerabilities as acceptable risk to the patient. But then, if somebody develops a new exploit for that vulnerability and publishes it, and then everyone has access to this exploit, now becomes very easy to take advantage of that vulnerability, which changes the risk profile. So it's something that has to be continuously looked at, and then from a design perspective, I agree with you. They're like, there's a functional designs. Let's make this thing work. Cyber security is really non functional requirements, but they need to be included if you want to sell to your market, if you want to be able to have the right marketing message and all that. And I what you said about the jargon is interesting, because that's a big challenge, like, how do we simplify the message, besides saying we're 99.99% secure, because you can't ever be 100% secure.

Claudia Holy  12:52  
Absolutely, it's specificity, isn't it? So if you say, I mean, you can say you're 99% secure, but what does that mean actually? How do you justify that, right? So whenever you need to build trust with an audience in the sense of, actually, you know, it's all about removing doubt and removing lack of information. So, you know, what does 99 specific, 90% specific mean? So does it mean you comply with these ISO standards? Does it mean, you know, it's just explaining that a little bit better, and actually what that means to the end user as well so they can really understand it. That's what I mean by simplification. Yeah. So we're not using that sort of jargon, because I think whenever you use jargon as well, you really isolate your market, or you you shrink your market down, because only a certain number of audience will will understand that. So it's yeah. How do we make it specific in action and understandable by all

Christian Espinosa  13:39  
Yeah, well, in Medtech and in cyber, combining Medtech and cyber security, we've got, like, the most jargon international standards possible. I mean, I heard someone do an interview yesterday in literally one sentence. Was all acronyms and ISO standards. There's, like, no real word in there. So that is a major challenge. I think

Claudia Holy  14:01  
essentially, there's one thing, and this is just off on a little marketing tangent, but there's something called the curse of knowledge. And I don't know if anybody knows what that is. So basically, anybody who is developing a device, there's a scale of one to 10 about how much knowledge you have, and 10 is how much knowledge you have as an expert. But where would you think? And I'll ask, I'll ask you Christian, where do you think people buy on that scale? If you've got scared of one to 10, you know, hunt, you know 10. About cyber security, what level do you think you need to put your literature out, or your materials out, your message out for people to understand? Three? Oh, you know, I don't know between two and three. It's in between two and three. But most people say, people say six. So actually, most people's information is way too high, and it's also people, and also people put too much information in immediately. So if you think, if you think of anything that you buy at any stage, you want to know different levels of information at different stages. So first you might want to say, you know, is it the right price? Second. And you might want to say, Does it meet my criteria? Third, you might want to say, what do other people think of it? So, you know, you got to deliver the information at the right stage. And what we're really bad at doing in med tech is saying, here's all of it. And actually people can't digest it in that right? So it's also, you know, with cyber security and everything. It's like understanding your buyer's journey, whoever that buyer is, if it's an investor, whoever, and actually, what information do they need at what stage? So you simplify everything that way as well.

Sean Lavin  15:27  
Is for early stage companies that that are thinking about this, it's very hard to to commit to large amounts of money in the next 10 years. And you know, most these companies are working through the FDA. And we break that down. You know, pretty clearly most companies expect they they do some animal studies. They didn't do a first demand study. They do some kind of pilot or larger study, and then they do a pivotal study. Is there any way to, and that's pretty common across kind of all, all companies that are here, is there any way to, kind of break down cyber security? And when you're when you're starting a device, you should be doing these three steps when you when you get to the pilot study. You should be at this point, when you when you're going to launch commercially, these things should be done. I don't know if that's

Christian Espinosa  16:04  
possible, but yeah, that's 100% possible. I mean, we're happy to have a consultation with anyone just to say, Have you thought about these 10 things? And if they haven't, most companies haven't thought about any of them, right? So you can quickly figure out where the gaps are and how to close the major gaps. So yeah, it is, it is possible. And I think one of the challenges also, like you mentioned, I think you said sterility study, or animal study, cyber security is iterative. I think in med tech, we're used to thinking of time blocks, like I'm going to do this study in q3 of you know 2026 cyber security needs to be done continuously, because the software is being developed, it needs to be tested while it's developed, not at a certain point in time, maybe at a certain point in time, later on, by a third party. But as part of that development process, it's got to be iterative, and that's something I think the industry as a whole has had challenges wrapping their heads around, because we're used to thinking biocompatibility study, you know, this block of time, this study, this study, this block of time, this study, this block of time, and cyber security doesn't work

Sean Lavin  17:04  
that way. The other thing I ask is there any way to develop, I guess, modules or software that can work on multiple companies? So we see that if I go back 30 years ago, the heart pump, you had to develop your software to run that pump. Now, there may be five or 10 companies with similar software where they've gotten it from one company, or they're and they building different pumps that work differently, but the the way the beat works, or the whatnot with the software is the same, is there, is there ways to do that, such that not every company has to do it individually. They can kind of scale together with security.

Christian Espinosa  17:33  
Yeah, we see that quite often where companies are using, like, a cloud platform that other organizations have used, and they have the ability to, like, license that and then add their own unique functionality onto it, so leveraging something that's already been built, yeah. But then we also have a lot of clients. We see clients that want to protect their intellectual property, so they don't want anyone you else even understanding what their software does.

Sean Lavin  17:57  
Makes sense. 

Claudia Holy  17:57  
So in you know, what we see when we work with early stage companies is there's so many things that need to be considered in the early stage, and actually there's only limited funding that companies have. So at what stage you said? It's all the way through for cyber security? So what does an early like, what's the most efficient way to work in cyber security? Because I can say what it is from a marketing perspective. But actually, you know, as cyber security is becoming so much more important. What's a really effective way for companies to start with cyber security if they haven't done anything yet?

Christian Espinosa  18:29  
I think there's a misnomer, like, we want to go too far, like to left in the timeline. Really, from my perspective, if you have, if you haven't proven your product and market fit, and worked out your reimbursement strategy, and all the things that really are critical the success of this, bringing this to market, then you really don't need to worry about cyber security. But once you've validated your MVP and you've got a decent roadmap and a regulatory strategy, I think at that point you should start consider cybersecurity. And like I said, reverse engineer. This is the thing a lot of people don't understand, like, what market Am I selling to? Am I only going to sell the United States, or do I want to sell to China eventually? Because requirements a little bit different. If I understand, like, my strategy, then I can reverse engineer, okay, China requires these things. I can't use this certain cloud provider because it won't work in China as example. So I can design my system in a way that I can sell those markets without having a roadblock later on. So I think it's as early as possible. It's not just like technical decisions. It's also like forcing you to think, who are my actual clients, what are the markets like, and what are the regulations like, from a cyber security perspective or any other perspective, and

Claudia Holy  19:43  
so that's way more efficient doing it that way around than saying, Okay, we're, you know, we're going to go for a product launch, we're 12 months out for regulatory approval or something like that, and we'll look at cyber security

Christian Espinosa  19:56  
then, well, I most people come to us about it's. Two months before they're trying to get cleared by the FDA or MDR, another global regulatory authority, and they've never thought about cyber security until the regulatory authority person said, you know, they're going through a checklist. What have you done about cybersecurity? Like, oh, we haven't done anything. So they contact us, and it's, it's an unfortunate situation, because we hope they would have talked to us earlier. But we always find lots of problems, and these problems, they typically have to fix. And if you're giving a two month deadline to submit and we find, let's say, 500 problems your software development team has to go back and fix those problems before you can have a button up submission where the risk is low enough to get through the threshold.

Claudia Holy  20:49  
And what would you say is the average number of errors that you do find, and I suppose it varies on the complexity of the device, all different things. But what's the average number of errors that you you often find just out of interest,

Christian Espinosa  21:01  
I would say the average number of high risk items that have to be fixed is per device, is probably 50. We have some devices, we find five. Some devices, we find 5000 but I would say, based on the complexities, probably like

Claudia Holy  21:18  
50, and what's the average impact of that on the time to approval, the cost to approval, things like that, just so we can get a feel of like, you know what the implication of a late late addressing cyber security is versus early?

Christian Espinosa  21:32  
Well, there's the financial impact, which is typically like, six to seven times more cost than if they would have designed the cybersecurity into the product, because oftentimes they have to reverse engineer and get a different software development team that actually understands it to develop secure code, and they have to do a lot of

Claudia Holy  21:50  
changes, which, when you say a software team that understands it, that they've already had a software team that's developed their product. So what do you mean by that? What's the difference?

Christian Espinosa  22:01  
That's a good question, and that's another common misconception. Most software development firms do not understand cybersecurity. And when I talk to CTOs or CEOs of a med tech innovator, they assume the software development organization that they've contracted know something about cyber security, and often they said, Oh, we have a cyber security person on our team, but that has never, I would say maybe, like, one out of 99 times, 1% been been legit. So that's the other thing. If someone talks as early on, we can help them guide that decision on which firm to choose, because there's a standard in med tech. It's called IEC 62, 304, which is for secure software development for medical devices. So I should find a software development organization that follows that standard, that has a track record, and it's probably going to cost more than one that's offshore, but at least you will have, it'll cost more upfront, but cost less overall, and you'll have secure software,

Claudia Holy  23:07  
yeah, so you know, you've got it right, right from the beginning, and then you don't have to backtrack. So it's not just that it costs seven times more later on, because it's it's you, but it's the fixes. In the sense employing another team to fix it is all the time delays. It's all that sort of stuff, right?

Christian Espinosa  23:22  
You have to find an entirely because if your team didn't know how they introduced the problems to begin with, your software development team that you hire, you got to find a different team, because they're gonna, they're not gonna be able to understand how to fix it, and we could try to guide them as much as possible, but they have to fix this completely third party. So it's that, it's also the delay to market. So if you have a competitor and they did software development properly, their device may hit the market way before yours. So it's not just like the extra cost of redeveloping or fixing the problems, it's delay to market. And then if you go back to your investors and ask for more money because you forgot about this, I imagine you'll be frustrated.

Sean Lavin  24:01  
It doesn't, it doesn't, it doesn't go well, right? Any, any any delay, or any any missed timeline the next raise usually, usually is at a lower value or doesn't go well. And I'll ask one kind on the values question, because clearly, most of the early stage companies are looking to increase their value, and it makes it easy to raise money and they get their milestones. Have you seen and they obviously want to be bought by by strategic at some point. Have you seen the larger companies focus on on this? I mean, when they when they look at who they may buy, have have deals, either gotten stuck because of cyber security, have have higher numbers been paid because the device was ready to go in five countries. I mean, what have you. And I mean, are those large companies vocalizing this to the people they they may buy?

Christian Espinosa  24:40  
They are starting to vocalize it more proactively, but from our experience, has been reactive, like they buy this company and then contact us and say, Okay, we need you to look at the cybersecurity for this company. I'm like, okay, you've already made the acquisition, you know. So it's a little bit reactive versus proactive, but we're starting to see a little bit of a shift, because. It. At some point, the pain gets enough where you've been burned enough times, you start to figure out, okay, maybe I shouldn't try this approach anymore.

Sean Lavin  25:06  
If that shifts, I think, I think more the early companies will do more of this, if, if they keep buying them and then fix it, they the early couples will keep passing it on to the

Sean Lavin  25:13  
big ones. Yeah.

Christian Espinosa  25:16  
And then something you mentioned earlier, Claudia, was like, Who the how do we message, get the message the right way? And something you said, like, is it the patient that needs to understand the message or the risk? Is it that healthcare delivery organization? Is it the physician? Like, you know, how do we communicate the risk in a way like, because I would think is at least me. I don't think maybe most patients don't care, but if I'm going to get to them plantable, I want to understand the risk.

Claudia Holy  25:43  
Yeah, so I think this comes back to what problem you solve for the audience you're targeting. So I think you have to really look at, you know, who are you speaking to, and what problem do they have? Because actually cyber may not be a problem for them at that stage. So, you know, it might be a problem for investors, but actually patients might not be aware of it. However, you know, we're seeing a lot more cyber security issues. So actually, it's probably going to become more relevant for patients, and it's patients than it's ever been, but it's really, you know, what is their big problem, and addressing that problem for them. So I think it's, you know, it comes back to the clear communication, being specific, and also not hiding anything. And I don't mean hiding anything in the sense of, you do it intentionally, but you know, it's like, oh, we won't answer that. We'll answer that later. No, let's answer that in the best way we can now, because as soon as you answer every question, you know, if I ask anybody you know, when you're going to make a purchase, it's the same as a medical device. Like medical device is clearly much more more serious. But if you're going to have a medical device implanted, or you're going to make a purchase, you know, you go through and you think about, right? You know, are all my questions answered? Am I certain that this is what I want to do? If that information is not available, you go, Oh, do you know what? I'll come back later, and you don't or you go and look at a competitor, or something like that. So I think you know, when we're talking about how we communicate about cybersecurity, first is, is this a problem that our patients really care about and who in our stakeholders really care about it, and why do they care about it? Which is staying curious and asking everybody, having patient groups, having investor groups, having physician groups, and saying, What do you care about? You know, a really great source of information once you're commercial is actually to ask your sales team, because you get all the information back from them. Because they're getting up. They're getting asked these questions from clinicians every day. But once you know that you know, then communicating it clearly, thoroughly and understanding at what stage they have what issues. You know, for example, if I take a health care professional, I know this is when you're commercial, but you know, to start off with, they might say they have a certain set of questions, like, what does your device do? I've heard this from a competitor. And then once they get to evaluation, it's, well, actually, how do I use it? Each stage has a different part of communication, and it's a say it's the same in any person that you're speaking to. It's just breaking that down and then giving the right bit of information at the right time. Because cyber security, I suspect, for patients will come in right at the end of their decision making process, because it'll be like, I really like I really like this. It's gonna help me. I trust the surge and all these different things. And, you know, and yes, it's really secure as well, because I've heard cyber security is an issue, so it's really understanding that whole buyer's journey and where you need to put the information because of the problem they're having at that stage.

Sean Lavin  28:18  
Sorry, I suspect that the doctor really matters. I mean, back back when I worked as a surgeon, I don't, I don't recall patients say to me, I want this device or that device. They tend to come in and say, What? What device do you think is best for me? And I, I think the doctors care about this because a, they want what's safe for patient, and B, if there is a problem, it's gonna be their problem for the next decade when they have to fix it.

Claudia Holy  28:38  
Can I push back on you in touch there? So what we are seeing is a big trend towards patients educating themselves significantly better than they ever did. And yes, it totally depends on the device. And yes, they do go, when they do go and see the doctor, of course, it's like, Well, okay, you think this is better, but we're seeing an awful lot of self education happening now. So I think that, and we're, you know, and it's obviously with the rise of the Internet and everything else. So I think there really is a place for being able

Sean Lavin  29:02  
to educate, especially on this 19 years ago as a doctor. But it

Claudia Holy  29:06  
also depends on the device, right? So some are much more patient facing. So like, you know, a sugar glucose monitor is going to be a much more patient centric device, or a neuro stimulator is going to be a much more patient centric device than a stent. So it totally depends

Sean Lavin  29:20  
on that. We saw that the diabetes community is very, very active in what they what they choose or

Claudia Holy  29:24  
pick. Yeah, yeah.

Christian Espinosa  29:26  
So the, there's a big push for transparency, yeah, and labeling, kind of like prescription drugs have all the side effects listed with with a medical device, we're supposed to say these are all the cyber security risk listed. But I'm not sure if anybody actually, and this goes the patient education actually reads that stuff or cares or makes a decision based on it, or is it like the physician? This is the only one we give you. You'll have any other options.

Sean Lavin  29:52  
And I didn't know there were FDA labels before I got the Wall Street. So I don't, I don't think the patients are reading, reading the labels. I think, I think, I think that's an issue. I mean, that's. Think there should be a better, better way to let people know this is safe. I'm not sure what that what that way is, but they're, they're, I mean, the average patient is not getting the pacemaker label,

Christian Espinosa  30:09  
I would think. And this goes back to what you said earlier, Claudia, like in cybersecurity, we make it so complex with so many acronyms, with robot talk. As people have told me, that almost everyone just tunes out as soon as you mentioned the word cyber security, they're like, you know, they just like, want to go somewhere else, you know, get away from the conversation. So it's a challenge to change that messaging, where people want to tune in versus turn tune out. And I, I think if we can solve that problem, then we'll get people more aware, and we'll probably have make some progress with cyber security, not just a Medtech but just a Medtech but the other industries.

Claudia Holy  30:44  
Why do you think that's the case? What's that? Why do you think that's the case? Why do you think people do tune out? I think

Christian Espinosa  30:51  
cyber security professionals in general want to be, quote, smarter than the people I wrote a book about this, actually. So they want to talk over people's head, because if you talk over someone's head and they don't understand, it makes you feel smarter than somebody your ego. So it's like this weird egoic thing where highly rationally intelligent people, this is the way they feel significant, is by talking over someone's head. And it's

Claudia Holy  31:17  
really interesting, because from a marketing perspective, that's totally the opposite of how we need to communicate. And actually, we try to make things simpler and simpler and simpler all the time. And actually, how can we use less words and be more specific? And, you know, it's funny, isn't it? And so as you we feel, the smarter you are is, The simpler you can talk now. And so we always need to, you know, just, just demystify, demystify cyber security as well. Because when we spoke recently, and I didn't realize a lot about cyber security, and I think I had all the same misconceptions. And then when you said any device that can be connected in any way to anything else is a cyber security risk in the sense that it's got a USB, it's got any connection pot, I never realized that, you know, because I used to sell harmonic Scalpel when I was younger and stuff like that, and that would have been a cyber risk, because it had a USB port in the back of it, or any sort of connection port. So I think that that made me lean into it a lot more, because I realized some interesting stories around it, and actually how it affects so many different things, and the impact it can potentially have on the patient.

Christian Espinosa  32:18  
Yeah, I remember reading a quote by Mark Twain. It said, if he had more time, he would have written shorter books, because it takes a lot more effort and energy to simplify the message like he said,

Claudia Holy  32:32  
No, it's totally true. It takes more time. Awesome.

Christian Espinosa  32:36  
We have a few minutes for questions, if anyone like to ask questions, yeah. So if I understand your question, you're saying there's a push to say, We need all these things inside in the software, but where's the balance of like having the right amount to pass?

Claudia Holy  32:51  
Can I answer this? Yeah, go ahead. So I think this comes back to, you know, if you're so if your engineers are saying we have to include this, because otherwise, you know, we're going to be missing something, and then your regulator is saying, hang on, but this is going to really increase your regulatory process, which totally I would always say, What does marketing say? And the reason I would ask you that is because, really, there's no point in doing any of this unless it's what your audience want. So you know, and that obviously your audience might want loads of different things, and healthcare professionals might want loads of things, and patients might things, and patients might want loads of things. But is there where we can rank those things and say, actually? And also, what is the standard of care at the moment, and what is missing in that standard of care? Because if we can say, right, if we can, we want to, our whole goal is to get this out to patients as quickly as possible and improve outcomes. So if we can bring a device to market that is superior to the competitors because it has this and this feature, and therefore you simplify its development. You know, it's all about what is going to end up selling in the end. So I think that's why I say, What does marketing say? Because it's really important to understand the end user primarily, and rank, you know, what they really want, and how that fits in line with everything else in the market. Does that help? Or is that?

Audience Question  34:04  
I think that sounds about common sense. Yeah, you described it and as always a very Yeah,

Christian Espinosa  34:11  
well, yeah, right, sizing, the design, not over designing. And it common sense is a phrase is not common practice, right? So, but, yeah, I think, I think one of the challenges we see a lot of organizations try to over design and add features that are not needed to their their product, versus, say, in this release, we're just going to have this set with a roadmap to add more later, and when you add all these additional features and interfaces and interoperability, then you've got to have a lot more regulatory a lot more cyber security. So we're always advocating, okay, what's the minimum thing that your your customer, your client, wants in your product? And let's get that out there, get some feedback, and then we'll design the next iteration. And later on, it's also much easier to get something with less functionality that's tighter designed, right size through approval, than something that's over designed, plus it's more secure. Typically, I think we're out of 

Sean Lavin  35:14  
Have to stop unfortunately. But thank you. 

Christian Espinosa  35:16  
Yeah, thank you, everyone. Appreciate it.