Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published May 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · with Kevin Derr · May 31, 2025 In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery welcome Kevin Derr, CEO of Neuronsphere, for a deep dive into data protection within the medical device industry. Derr, with over 20 years of experience, including significant roles at Stryker and Johnson & Johnson, discusses the unique challenges of securing medical device data and achieving regulatory compliance. He introduces Neuronsphere, a toolkit designed to empower engineers to develop data products and AI/ML algorithms for medical devices while maintaining compliance with cybersecurity and FDA regulations like ISO 27001 and 13485.The conversation highlights the critical importance of data ownership and control, contrasting Neuronsphere's approach with traditional SaaS solutions. The discussion also addresses common cybersecurity vulnerabilities such as misconfigured S3 buckets and the pervasive issue of insecure IoT devices in healthcare settings. Derr provides insights into the evolving landscape of FDA guidance, specifically the impact of recent regulations in shifting security considerations earlier into the New Product Development Process (NPDP). The episode offers vital perspectives for product security teams, regulatory leads, and engineers navigating the complex intersection of medical device innovation, data security, and regulatory adherence.
Key Takeaways
- Owning your data and running it within your own infrastructure, as offered by solutions like Neuronsphere, simplifies compliance and enhances security by removing third-party vendors from the trust chain.
- The medical device industry, while progressing in cybersecurity, faces unique challenges due to the primary focus on patient safety and the historically slow pace of regulatory adoption compared to other sectors.
- New FDA guidance, effective since late 2023, is crucial in accelerating the integration of security considerations and data management earlier into the New Product Development Process (NPDP).
- Engineers often prioritize deadlines and functionality over secure coding practices, highlighting a need for continuous emphasis on security, structured frameworks, and awareness of common vulnerabilities like misconfigured S3 buckets and insecure IoT devices.
- Hospital networks are often vulnerable due to human factors, such as shared or easily accessible passwords, making strong data protection and cybersecurity controls paramount, even for systems assumed to be inherently secure.
- Architecting systems for compliance from the outset, rather than trying to retrofit security measures later in the development cycle, can save significant time and resources in achieving regulatory approval and maintaining a strong security posture.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.