This article was published by Deloitte on September 17, 2024. Click Here to link to the original article.

While interest in medical technology (medtech) appears to be growing—among both venture capital (VC) firms and private equity (PE) companies—investment strategies seem to be evolving. VC investments in medtech reached a two-year high in the first quarter of 2024, although deal volume remains lower than in 2022, according to a report.1 Those firms typically focus on helping early-stage companies grow and build their brand. While there can be substantial risk, there is also the potential for significant returns

PE firms, by contrast, tend to invest in more mature companies, often taking a majority stake. The risks, as well as the returns, are typically lower. A growing number of large medical device manufacturers seem to be spinning off slow-growing segments of their companies so that they can focus on high-growth areas. This restructuring trend has created an investment opportunity for some PE firms. Both PE and VC investors appear to be homing in on companies that are focused on cardiovascular disease, surgical robotics, and women’s health.2

Silicon Valley-based Triple Ring Technologies, Inc. is an investment and development company that helps innovators and entrepreneurs solve problems and launch breakthrough products. Joe Heanue, Ph.D., the company’s CEO, has helped develop a wide range of medtech devices in his career. He says Triple Ring, which he co-founded in 2005, sits at the intersection of science, technology, and business (the triple rings). I recently had an opportunity to talk with Joe about some of the investment trends he is seeing in the medtech space. Here’s an excerpt from that conversation:

Glenn: How have you seen investment strategies change over the past couple of years?

Joe: A lot of investment dollars were flowing into start-ups and venture-backed companies during the pandemic as investors and entrepreneurs jumped in to meet the COVID-19 challenges. At the same time, some government programs provided funding for diagnostics. The net effect that I saw was over-investment in the sector. Inevitably, only a few players ended up benefiting, and that cast a bit of a shadow over investments in diagnostics. I also saw a significant burst of VC funding activity in medtech as the pandemic progressed but, by early 2023, there was a contraction. Some VC investors supported existing portfolio companies at the expense of new investments. This is when I started to observe a transition of investment activity, from venture capital to corporate venture and private equity. A lot of creative things are taking place in that middle ground. For example, some organizations are executing an interesting model in which they invest in R&D alongside a commercial chassis to build out a platform. These approaches are generating buzz around oncology, cardiovascular disease, and orphan diseases. Another example is known as build to buy. These partnerships are collaborative, outcome-focused, and financially flexible to balance risk when bringing new and innovative products to market. In general, I think we’re likely to see more examples going forward of large corporates trying to fill the gap left by under-investment in medtech by traditional venture firms.

Glenn: What types of companies do you think are getting more attention from investors?

Joe: Many VC investors appear to be paying close attention to their existing portfolios. But we see PE investors working with corporate venture in interesting ways. This is a reflection of the fact that some medtech companies have grown substantially through acquisitions over the past couple of decades and are starting to carve out some of their smaller businesses. The carve-outs tend to be more nimble and better able to respond to changing markets.

Glenn: What do you think is the exit strategy for venture-backed medtech companies? 

Joe: Smaller venture-backed companies often see an exit strategy through private equity investment. Within smaller private equity-backed companies, the exit strategy is often a move toward a larger PE group; and the larger PE groups often see their exit as an acquisition by a large corporation. 

Glenn: You refer to your business model as “venture building.” What does that mean?

Joe: We do a mix of investment and development. Our model is to invest in projects we work on and work on projects that we can invest in. At the same time, we try to bring a network of third-party investors to the table. We are a hub that helps to connect investors and innovators.

Glenn: You have developed a number of medtech products in your career. What gets you excited about this space today?

Joe: Incredible advancements are being made in biology with genomics, proteomics, and multi-omics as well as with cell and gene therapies. At the same time, computing has become less expensive, more scalable, and more powerful. Companies are often able to develop and introduce sophisticated products through multidisciplinary efforts much faster and more efficiently than ever. Every year, the industry’s ability to develop effective solutions to complex clinical problems increases.

Glenn: Is there a connection between biopharma and medtech?

Joe: Absolutely. Our business is split roughly 50/50 between medtech and biotech/biopharma. The lines continue to blur. In cell therapies, for example, manufacturers manipulate patient’s cells using a mix of manual labor, complex medical devices, and automation. The next generation of cell therapies will likely be developed and administered at the patient’s bedside. Collecting a patient’s blood, sending it to a manufacturing site to be developed into a therapy, and then sending the therapeutic back to the hospital is an expensive and time-consuming process that can take weeks. The next generation of therapies will likely move everything closer to the patient.

Glenn: Is artificial intelligence [AI] being integrated into medtech devices?

Joe: Medtech investors are evolving their approach as they move from a focus on tools and hardware to a focus on apps, AI, and data. If you are launching a new product, investors are going to ask if there is an AI component. Investors will also want to know about the data being generated and how it is being used. When we talk to people about the future of surgery, they are increasingly talking about digital surgery. They want to know how data can make the surgical process more effective. For example, prior to recommending a certain surgical procedure, AI could be used to evaluate a patient’s health data and demographics to predict the likely outcomes and identify possible complications or adverse events. AI, combined with data, is already impacting how some clinical procedures are performed. A new generation of clinicians that has grown up with technology is helping to drive this trend. They expect to have access to sophisticated tools, data, and connectivity. 

Glenn: Sophisticated medical devices sometimes can only be used by highly trained clinicians. It seems there is a trend toward democratization in health care and a focus on the simplification of care. What are you seeing?

Joe: The democratization of health care can help move care from the hospital to ambulatory surgery centers, out of surgery centers to a physician’s office, and out of the physician’s office into the patient’s home. There is a lot of interest in devices that can help move care delivery closer to the patient and improve convenience and reduce costs. Technology is making a variety of procedures, particularly surgical and interventional, more accessible. Democratization also is being accelerated by compressing the time needed to master a given procedure—skills that once took years to acquire now can be learned in a few months. 

Glenn: What about GLP-1 drugs? How do you see this impacting investments?  

Joe: We are starting to see interest move from the pharmaceutical sector into the medtech space. Investors are interested in delivery devices, wearables, compliance technology, tracking tools, and AI tools that can help match patients to the most effective drugs administered optimally.

Conclusion

Stepping back, it’s interesting to reflect on the dynamic nature of medtech innovation and the evolution of health care markets. As challenges arise in one portion of the innovation cycle, they are often offset by advancements in another. For example, as value-based models put pressure on hardware and equipment costs, AI shows potential for improving system performance and cost efficiency. This dynamic is also true of the funding environment—as some VC investors try to support new products and companies, some PE firms have helped fill gaps by taking riskier positions that were once solely the domain of VCs. Finally, governments can play a role in keeping the wheels of health care innovation churning. These trends appear to reflect a broader shift toward more collaborative, outcome-focused, and financially flexible approaches in medical device development, aiming to balance innovation with risk management.

By Glenn Snyder, principal, Deloitte Consulting LLP

FAQs

What is Corporate Venture Building?

Corporate Venture Building is the practice of building a separate venture from scratch – A new brand, team, program, revenue stream, or P&L is created to target untapped opportunity spaces – new customer segments, technologies or capabilities – outside of a core existing businesses. This effort can be a fully internal, adjacent, fully external, or hybrid program.

Do Private Equity firms invest in startups?

Private Equity (PE) firms are increasingly investing in startups, though selectively. PE firms traditionally invest later in a company’s lifecycle – around the time that companies begin to generate revenue from their products or services. Key value propositions that PE firms bring to portfolio companies include growth capital, operational efficiency and a tight focus on profitability. Most pre-revenue startups are not a fit for PE, however we are seeing PE firms investing earlier especially for high growth potential companies that are a short time away from revenue generation.

Is Triple Ring a CDMO?

In the MedTech industry, a CDMO, or Contract Development and Manufacturing Organization, is an external partner for the design, development, and manufacture of medical devices and diagnostic platforms. Triple Ring does perform the function of a CDMO, and quite a lot more. Beyond our Product and Technology Development (CDMO) business we are also a Corporate Venture Builder and Translator of technology from early R&D into products. The Translation work is performed primarily through contracts with the US Government.

In September 2023 the US Food and Drug Administration (FDA) issued industry guidance on cybersecurity for medical devices to better protect patients, hospitals, and the broader healthcare system from cyber-attacks. Medical device and in vitro diagnostic (IVD) manufacturers will be required to implement significant changes to Design Control and Quality Management practices and procedures to comply with the new regulations. The FDA guidance is a result of years of study and a well-documented increase in malicious attacks on hospitals and other healthcare distribution centers. Indeed, ransomware attacks are now commonplace among hospital systems (large and small) with heavy financial and even patient care consequences. Healthcare distribution systems are unique in their vulnerability to cyber-attacks due to a history of prioritizing patient care and patient outcomes over cybersecurity threats and a reliance on a vast array of tools and devices to manage care. 

The Intersection of Cybersecurity and Medical Devices

The past fifteen years have seen remarkable increases in software-enabled smart medical devices and a shift towards an Internet of Things (IoT) healthcare distribution architecture. These trends are responses to strong market demand for smart devices’ benefits, including wider patient access, more effective use of data, better patient experiences, and better patient outcomes. However, these benefits carry increased risks of malicious attacks on healthcare organizations by criminals who exploit vulnerable devices to target individual patient medical records, disrupt operations, ransom data, or enter networks through backdoors to move freely throughout an enterprise. Manufacturers of medical devices must do their part to remedy a situation that is increasing in frequency and severity by improving the quality of their products. 

FDA’s Cybersecurity Guidance for Medical Device Manufacturers

The impacts of the FDA’s cybersecurity guidance are only now being appreciated. The scope of the regulations is broad and includes all device software that stores, transfers or analyzes data. Therefore, any medical or diagnostic device with upgradeable software, a USB port, or even compact disc technology is now considered a connected device and is subject to updated regulations. It is important to understand that as of September 2023 any company, whether a startup or a Fortune 500 medical device or IVD manufacturer, developing devices and technology for FDA-regulated markets must update their product development procedures to address the new standards. This means medical device and IVD developers must now add resources and effort to quality management and design controls. It is also significant that the new guidance encompasses not only modern wirelessly connected and IoT technology but also the huge toolbox of existing products already in hospitals. The impacts of this reality could be even more substantial. They will play out as the industry faces balancing legacy technology’s security risks and upgrading systems’ costs.

The Guidance reflects FDA’s recommendations for information to be included in premarket submissions for Basic and Enhanced Documentation Levels. This recommended information should demonstrate that planning, requirements, risk assessment, design reviews, traceability, change management, testing plans and results, and other aspects of good software engineering for device software functions were employed, to support a conclusion that the device software function was appropriately designed, verified, and validated

FDA, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

What Changed at Triple Ring?

In preparation for meeting the design requirements implied by the new medical device cybersecurity rules, Triple Ring’s Quality, Systems Engineering, and Software Engineering teams have completed training on the guidance, have updated quality management processes, and have begun implementing device designs and documentation that will support successful FDA submissions for our clients. The new practices augment a robust and comprehensive quality management system by adding a threat modeling methodology called STRIDE. We have implemented the STRIDE methodology to systematically assess vulnerabilities and mitigate threats throughout the device design lifecycle. We follow a structured process, outlined below, for all our client projects requiring FDA submissions.

Diagram of the STRIDE model for security threats, highlighting six types of threats: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Figure: STRIDE framework for assessing, mitigating, and designing devices resistant to cybersecurity attacks.

STRIDE Process

The Future of Medical Devices and Diagnostics 

The future of the medical device and diagnostics industries is tied to smarter and more connected products. To date, these products have demonstrated clear benefits to patients, hospitals, and manufacturers and will continue to improve healthcare distribution and access. Cybersecurity threats posed by medical devices are well documented and will worsen without modernizing device design and quality management processes. As a result, device manufacturers will increasingly be required to mitigate these risks in the products they sell. 

To learn more about FDA’s medical device cybersecurity guidance and its impact on your product development plans, please connect with us to start a conversation. Triple Ring has 20 years of experience designing and developing cutting-edge medical technology and a long track record of supporting successful 510(k) clearances and premarket approvals (PMA). We are eager to help you navigate the changes resulting from this FDA guidance.

FAQs

What are the new FDA guidelines for medical device cybersecurity?

FDA’s guidance on Cybersecurity in Medical Devices adds Secure Product Development Frameworks (SPDF) to the risk management processes required of device manufacturers. Risk management is the essential systematic practice of identifying, analyzing, evaluating, controlling, and monitoring risk (now including cybersecurity risk) throughout the product lifecycle. The guidance also describes recommendations regarding the cybersecurity information to be submitted for devices under 510k, PMA, and other submissions. 

What does the new FDA guidance on medical device cybersecurity mean for me?

All software-enabled medical devices or in vitro diagnostics featuring connectivity (wireless, local area network, Internet), or portable media (USB or CD) are subject to additional regulatory standards and design controls. If your medical device product fits the above description, you will face additional development effort and development costs to meet the new cybersecurity standards. 

How do I design medical devices and IVDs for the new FDA guidance on medical device cybersecurity?

To meet FDA Cybersecurity in Medical Devices guidelines you will need to add Secure Product Development Frameworks (SPDF) like STRIDE to your risk management process. In all of your regulatory submissions, you will also need to address specific elements described in the FDA’s guidance document. Medical Device Engineering consultancies, like Triple Ring Technologies, can help you with these processes.

How does the FDA define connected medical devices?

FDA’s guidance can be interpreted as any device with cybersecurity considerations, including but not limited to devices that have a device software function or that contain software (including firmware) or programmable logic. The guidance also includes devices that are network-enabled or contain other connected capabilities.

Is my medical device product a connected device as defined by the FDA?

The answer is yes if your device contains software, firmware, or programmable logic. Also included are devices that are network-enabled or contain other connected capabilities. Examples of connected devices are MRI systems connected to an internal hospital network, in vitro diagnostics with wireless communications, or implantable devices that can be programmed remotely. Examples of devices that are not connected include orthopedic screws, tongue depressors, and bedpans.