Who Owns Patient Data Security in Trials with Rob Bedford, CEO of Franklyn Health

This episode of the MedDevice Cyber podcast, hosted by Christian Espinosa and Trevor Slattery of Blue Goat Cyber, features a detailed discussion with Rob Bedford, the co-founder and CEO of Franklyn Health, a Contract Research Organization (CRO) specializing in serving the medical technology (MedTech) sector. Rob Bedford shares his journey from being a neuroscientist and working within the NHS to identifying a critical gap in the clinical research market. He explains that his company was founded to address the specific needs of small and medium-sized MedTech companies, which he observed were often deprioritized by larger CROs in favor of more lucrative pharmaceutical clients. This lack of focus often left MedTech innovators feeling unheard and struggling with limited budgets and tight timelines.

The core of the conversation revolves around the numerous challenges MedTech startups face on their path to commercialization and how a specialized CRO can assist. Rob highlights that for these smaller companies, efficiency in both cost and speed is paramount due to pressures from investors and limited financial runways. The podcast delves into the complexities of the clinical trial process, clarifying the distinction between pre-clinical (animal) studies and the different phases of clinical (human) studies, such as first-in-human feasibility trials and larger pivotal studies. A significant challenge discussed is patient enrollment, which is often the biggest hurdle in clinical research, requiring a delicate balance of finding patients who are both eligible based on strict criteria and willing to participate in trials for often untested technologies. The discussion also touches on the global nature of regulatory approvals, emphasizing that agencies like the FDA often require clinical data from a representative US patient population, meaning studies conducted solely in other regions may need to be supplemented or repeated.

A recurring theme throughout the episode is the critical importance of early and holistic planning. The hosts and guest stress that key aspects like regulatory strategy, clinical trial design, and especially cybersecurity, cannot be afterthoughts. They advocate for a "security by design" approach, where cybersecurity is integrated from the very beginning of the product development lifecycle. The speakers warn that retrofitting security measures late in the process is not only more expensive and time-consuming but can also risk invalidating previous software validation and clinical data, potentially derailing the entire regulatory submission. The conversation also clarifies the distinction between responsibility and accountability, noting that while a manufacturer can delegate the responsibility for tasks like software development or clinical trials to a CRO, the ultimate accountability for the product's safety, efficacy, and security remains with the manufacturer.

Key Takeaways

• Small- and medium-sized MedTech companies are often a low priority for large Contract Research Organizations (CROs), which tend to focus on more profitable pharmaceutical clients.

• The medical device manufacturer is always the accountable party for product safety and security, even if they delegate the responsibility for development or testing to a third party.

• Early and strategic planning is critical for MedTech startups to manage limited budgets and accelerate their time to market, especially concerning clinical trials and regulatory strategy.

• Patient enrollment is the most significant challenge in clinical research, as it requires finding individuals who meet strict eligibility criteria and are willing to participate.

• Regulatory bodies like the FDA often require clinical data from their specific patient population, meaning research conducted abroad may need to be supplemented with local studies for market approval.

• Implementing cybersecurity as an afterthought is a major risk; it is far more effective and less costly to follow a "security by design" principle from the start of product development.

• Making significant software or hardware changes late in the development process can invalidate previous clinical data, potentially forcing a company to restart expensive trials.

• There's a crucial difference between being responsible (the person doing the task) and accountable (the person who owns the outcome and takes the fall if something goes wrong).

Listen on mdcpodcast.com · Watch on YouTube