What MedTech Startups Get Wrong About Cybersecurity Documentation with Marc Zemel

Marc Zemel has been building Retia Medical for 15 years. The company started as two guys with slides and licensed technology. Now their data-driven hemodynamic monitoring technology for consistently accurate cardiac output measurements in high-risk surgical and critically ill patients is in 75 hospitals across 18 countries, sold by Medtronic in the U.S, and the company is preparing to launch their new product Argos Infinity, pending FDA clearance.But getting here meant dealing with cybersecurity challenges that Marc didn't see coming. In this conversation, he talks about what actually slowed them down, what he wishes he'd done differently, and why building a proper quality system from day one would have saved him years of pain.Retia Medical develops algorithms that monitor cardiovascular function. Their technology detects problems before blood pressure drops, which makes it valuable in operating rooms and ICUs. Nurses have gotten so attached to their monitors that they literally hug them because the devices help them do their jobs better.Marc walks through the specific cybersecurity issues that surprised him. Like how software as a medical device comes with ongoing compliance costs that hardware doesn't have. Or how documentation requirements kept changing as the FDA updated its expectations. Or how retrofitting cybersecurity into an existing product is way more expensive than building it in from the start.He also shares his philosophy on building companies. He doesn't focus on exits or acquisition targets. He focuses on building something people can't live without. When the product is that good, the rest takes care of itself.If you're building a medical device startup or dealing with FDA submissions, this is a conversation worth hearing.Episode Breakdown:00:00 Introduction00:32 Where everyone's calling from02:54 Marc's background and journey into medtech04:33 What Retia Medical does07:00 Blood flow vs blood pressure09:45 Software vs hardware as a medical device12:30 Cybersecurity challenges15:20 Documentation nightmares18:45 Quality systems and why they matter early22:10 FDA submissions over 15 years25:30 The cost of retrofitting cybersecurity28:50 Software updates and compliance32:15 Build to be bought, not to be sold37:32 What acquirers look for39:02 Product market fit: Nurses hugging monitors41:14 Wearables and future regulationsThe Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry. Learn more by visiting https://bluegoatcyber.com.If you're interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-sessionChristian Espinosa is the CEO and Founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber.Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1