What is Retia Medical's primary focus?

Retia Medical's primary focus is developing data-driven hemodynamic monitoring technology. This technology provides consistently accurate cardiac output measurements, specifically for high-risk surgical and critically ill patients. Their solution aims to minimize the 30% error rate often seen with legacy thermodilution methods.

Why is integrating cybersecurity early in the development process important for medical devices?

Integrating cybersecurity early in medical device development is crucial because retrofitting security measures into an existing product is significantly more expensive, complex, and time-consuming. This proactive approach helps avoid substantial delays in FDA clearance, especially with new requirements outlined in the FDA Section 524B. Early integration also aligns with the shift-left security principle, making it more efficient and effective.

How do FDA cybersecurity requirements impact medical device companies?

The FDA's cybersecurity documentation requirements, particularly those from Section 524B, continuously evolve, necessitating that medical device companies maintain a proactive approach to compliance. Companies must adapt to changing regulations and provide a Plan for cybersecurity, a Software Bill of Materials (SBOM), and other essential documentation within their eSTAR submission. Failing to do so can lead to significant delays in product launches and clearances.

What is the difference in compliance costs between hardware and software as a medical device?

Software as a medical device (SaMD) incurs ongoing compliance costs that hardware alone does not, primarily due to the continuous updates in regulatory expectations and the need for ongoing vigilance against cyber threats. Unlike a one-time hardware submission, SaMD requires continuous monitoring and updates in response to vulnerabilities, as highlighted by frameworks like AAMI TIR57 which details a medical device security disclosure program.

What is a key lesson learned from Retia Medical's journey regarding quality systems?

A key lesson learned is the importance of building a robust quality system from day one. This foundational step would have prevented years of challenges related to cybersecurity documentation and FDA submissions, such as those required for IEC 62304. Establishing a strong quality system early on is critical for long-term success and streamlined regulatory compliance.

Podcast Ep 56: What MedTech Startups Get Wrong About…

By Christian Espinosa, MBA, CISSP

Founder & CEO · Blue Goat Cyber

Reviewed by Trevor Slattery

COO · Blue Goat Cyber

Last reviewed: May 1, 2026

Listen now

Episode breakdown

Key takeaways

Building a robust quality system from inception is critical for medical device startups to avoid significant delays and costs associated with cybersecurity compliance.
Medical device software incurs ongoing compliance costs that hardware alone does not, primarily due to evolving regulatory expectations.
Retrofitting cybersecurity into an existing medical device is substantially more expensive and time-consuming than integrating it during the initial design and development phases.
The FDA's evolving cybersecurity documentation requirements necessitate continuous adaptation and proactive engagement from medical device manufacturers.
Prioritizing product utility and user integration, as evidenced by positive clinician feedback, can drive market acceptance and sustained growth for medical technologies.
FDA submissions for medical devices, particularly those involving software, become increasingly complex with changing cybersecurity requirements.
Understanding the distinctions and compliance pathways for Software as a Medical Device (SaMD) is crucial for companies developing algorithm-driven health technologies.

Marc Zemel has been building Retia Medical for 15 years. The company started as two guys with slides and licensed technology. Now their data-driven hemodynamic monitoring technology for consistently accurate cardiac output measurements in high-risk surgical and critically ill patients is in 75 hospitals across 18 countries, sold by Medtronic in the U.S, and the company is preparing to launch their new product Argos Infinity, pending FDA clearance.

But getting here meant dealing with cybersecurity challenges that Marc didn't see coming. In this conversation, he talks about what actually slowed them down, what he wishes he'd done differently, and why building a proper quality system from day one would have saved him years of pain.

Retia Medical develops algorithms that monitor cardiovascular function. Their technology detects problems before blood pressure drops, which makes it valuable in operating rooms and ICUs. Nurses have gotten so attached to their monitors that they literally hug them because the devices help them do their jobs better.

Marc walks through the specific cybersecurity issues that surprised him. Like how software as a medical device comes with ongoing compliance costs that hardware doesn't have. Or how documentation requirements kept changing as the FDA updated its expectations. Or how retrofitting cybersecurity into an existing product is way more expensive than building it in from the start.

He also shares his philosophy on building companies. He doesn't focus on exits or acquisition targets. He focuses on building something people can't live without. When the product is that good, the rest takes care of itself.

If you're building a medical device startup or dealing with FDA submissions, this is a conversation worth hearing.

Frequently asked questions

Bring this work to your device

Need help with fda premarket cybersecurity?

Blue Goat Cyber delivers fda premarket cybersecurity services for medical device manufacturers - from threat modeling to FDA-ready reports.

FDA Premarket Cybersecurity Services

What MedTech Startups Get Wrong About Cybersecurity Documentation with Marc Zemel

Episode breakdown

Key takeaways

Frequently asked questions

Need help with fda premarket cybersecurity?

Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital

De-Risking Product Decisions in MedTech Startups with Brent Lavin of Ironwood MedTech Partners

Why Clinical Trials Are the Most Expensive Capital Outlay for Startups with Rob Bedford, CEO of Franklyn Health

Traceability Requirements and Documentation Audit Trails with Dr. Basant Bajpai, CEO of Compliance MedQRA

Get FDA cleared without the cybersecurity headaches.

What MedTech Startups Get Wrong About Cybersecurity Documentation with Marc Zemel

Episode breakdown

Key takeaways

Frequently asked questions

Need help with fda premarket cybersecurity?

Keep listening

Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital

De-Risking Product Decisions in MedTech Startups with Brent Lavin of Ironwood MedTech Partners

Why Clinical Trials Are the Most Expensive Capital Outlay for Startups with Rob Bedford, CEO of Franklyn Health

Traceability Requirements and Documentation Audit Trails with Dr. Basant Bajpai, CEO of Compliance MedQRA

Get FDA cleared without the cybersecurity headaches.