The Era of Product Security Performance: Accelerating Cyber Tech for MedTech Success

I recently had the privilege of speaking at the H-ISAC Medical Device Security Council meetings for both the European and Americas chapters. The discussions were lively, touching on everything from regulatory innovation to the practical challenges of explaining cybersecurity value to a board of directors.

If you missed the sessions, the core message was urgent: We have entered a new era of medical device security. We are moving past the days of simple awareness and compliance into the era of Product Security Performance.

Here is a summary of the key takeaways, the innovation framework we discussed, and how we can bridge the gap between MedTech and the CyberTech innovators who can help us run faster.

1. The Macro View: Creative Destruction Comes for MedTech

To understand why product security must evolve, we have to look at the macroeconomic backdrop. As highlighted by the recent Nobel Prize in Economics, technology innovation is the primary driver of sustained economic growth. This brings with it "creative destruction"—the idea that the old is constantly replaced by the new.

Historically, MedTech has been insulated from this disruption by three massive "moats":

• Regulatory Moats: High barriers to entry due to strict oversight.

• Hardware Moats: Complex, proprietary physical devices.

• Clinical Evidence Moats: The high cost and time required for clinical trials.

These moats are shrinking. Regulators are exercising enforcement discretion on consumer wearables for metrics like blood pressure and glucose. Hardware barriers are lowering with open-source equipment. Clinical evidence burdens are being reduced through simulation and real-world evidence. Perhaps most critically, Big Tech is entering the space—and Big Tech ships fast.

2. The Three Eras of MedTech Security

We have evolved through three distinct phases of product security:

• The Era of Awareness (2008–2013): Characterized by researchers like Barnaby Jack and Kevin Fu demonstrating vulnerabilities on stage at conferences like DEF CON.

• The Era of Compliance (2014–2023): Driven by FDA guidance and global regulations. The primary question from executives was, "Are we going to get through the FDA?".

• The Era of Performance (2023–Present): Today, with regulations like 524B and threats like ransomware and Volt Typhoon established, the executive question has shifted to: "What is taking so long?" and "Can we go faster?".

In this new era, compliance is merely table stakes. The winners will be those who use product security to drive software velocity and market share.

3. A Framework for Product Security Innovation

To succeed in this performance era, we need a new language. We cannot rely solely on "cybersecurity risk" to justify budgets; we must speak the language of business value.

I proposed a four-pillar innovation framework:

1. Align to Business Value: Connect security initiatives directly to CEO-level priorities like market differentiation, shipping product faster, reducing Cost of Goods Sold (COGS), or accelerating commercialization. For example, investing in Over-the-Air (OTA) update capabilities isn't just a security capability; it's a massive reduction in long-term operational costs for medtech customers (i.e. health systems).

2. Measurably Improve Performance: Move beyond risk matrices. We need metrics that demonstrate that product security performance is helping the business make money now and in the future. We need metrics that show how investment in product security capabilities gets product to market faster, better, cheaper, AND with more delight along the way. 

3. Participate in Regulatory Innovation: Don't just follow the regulator; lead the way. Utilizing pathways like the FDA’s Medical Device Development Tools (MDDT) qualification program allows us to pre-qualify tools and reduce the burden of future reviews.

4. Leverage External R&D: You cannot innovate solely with internal resources. Take advantage of federal funding (e.g., ARPA-H), engage pioneers who want a mission, and collaborate with vendors.

4. Leverage External R&D: Bridging the CyberTech-MedTech Gap

A significant portion of the discussion focused on the "gap" between MedTech manufacturers and CyberTech startups.

• MedTech Friction: Manufacturers are inundated with irrelevant pitches and often delete cold emails because cybersecurity vendors don't understand the product, clinical, or regulatory context.

• CyberTech Friction: Startups often cannot afford expensive industry memberships (like H-ISAC) and struggle to navigate the "regulatory moat."

How to Close the Gap: We discussed several practical strategies for MedTech leaders to access better innovation:

• Share Your Strategy: Publish your "jobs to be done" or strategic priorities so vendors can align their pitches to your actual needs.

• Host Demo Days: Instead of fielding random emails, invite vendors to a quarterly demo day where they have 5 minutes to pitch against specific performance metrics.

• Collaborative R&D: Be willing to pay Non-Recurring Engineering (NRE) costs to help a vendor adapt their product to your specific regulatory needs. This allows you to influence their roadmap while gaining a partner invested in your long-term success.

Conclusion

We are no longer just "protecting the device." We are enabling the business to compete in a rapidly changing world where Big Tech speed is becoming the norm. By shifting our mindset from compliance to performance, and by actively bridging the gap with external innovators, we can secure patient safety and drive market success.

~Shannon Lantzy, The Optimistic Optimizer

A huge thank you to the H-ISAC community for the robust discussion and feedback.