Be ready for the IT and security review before your hospital buyer asks.

Silicon Valley fractional CIO and CISO for medical device, SaMD, IVD, and life science startups, 1 to 100 employees. Remote service nationwide.

By scheduling a call, you agree that the information you submit will be used by Inoculis to manage your inquiry, schedule the meeting, and communicate with you about our services. Scheduling is provided through Cal.com, which may process your booking information under its own privacy practices.

Free. No commitment. We identify the highest-risk decisions visible in your current stack.

SOC 2HITRUSTHIPAANIST 800-53ISO 27001ReviewReadyIT StackInvestorsDiligence-ready posturefor the next funding round.AuditorsEvidence already filedbefore the audit begins.InsurersBetter prepared forcyber-insurance underwriting.HospitalsHospital review evidenceprepared before submission.

Who it is for

  • Post-seed startups

    Define a company-side tech stack built to scale, from day one, before the first decision that costs six figures to undo.

  • Mature B2B medtech

    Audit and optimize the existing stack so the company is ready for hospital, lab, and CISO buying-center review.

The QMS we picked in year one to save money cost $200,000 and 12 months of GTM delay during FDA submission. I wish we’d had this conversation on day one.
— Founder, Silicon Valley medical device company
  • HITRUST
  • HIPAA
  • ISO 27001
  • SOC 2
  • NIST 800-53
  • QMSR / ISO 13485
  • 21 CFR Part 11
  • FDA Section 524B
  • MDS2
  • SBOM
  • IEC 62304

Services

Six engagements, built around the moments founders feel them.

Two flagship engagements anchor the practice. Four supporting engagements pick up the work around them.

Primary engagement

Hospital Security Review Readiness

The company-side evidence library, IAM posture, and questionnaire-response library your customer’s CISO buying center expects, prepared before deployment.

Recurring leadership

Fractional CIO and CISO

Senior IT and security leadership in your weekly cadence. Owner-led, month-to-month, less than half the loaded cost of a full-time hire.

Supporting engagement

Day-Zero Stack Selection

Pick the company-side stack the first time. The decision in week one that helps avoid the migration in year ten.

Supporting engagement

Stack Setup Sprint

Stand up the company-side stack the first time: Microsoft 365, identity, core SaaS, endpoints, and file storage. The build that follows Day-Zero Stack Selection.

Supporting engagement

Compliance Framework Roadmaps

A defensible 12-to-24-month plan for the framework your customer is asking about. Fixed price, two to three weeks.

Supporting engagement

Hospital Vendor Security Questionnaire Support

Build and maintain the company-side response library so the second hospital questionnaire starts from a baseline, not a blank page.

See all six engagements →

The Problem

Three decisions that show up as expensive surprises.

Story 01

The QMS chosen to save money

It works at year one. By year ten, when the company is preparing its FDA submission, the QMS cannot produce the audit trail Quality and Regulatory need. The fix is a mid-submission migration to a validated platform: a six-figure cost, a year of work, and a go-to-market delay on top.

Story 02

The CRM bought as an inventory system

Someone said "Salesforce is just a database, we can configure inventory on top." For a medical device company shipping physical product, inventory and traceability are the foundational systems. Salesforce is a CRM. The company signed a multi-year contract for the wrong primary tool.

Story 03

The hospital vendor security review the company did not plan for

The device clears regulatory review. The team plans deployment. Then the hospital CISO buying center asks for a full package of company-side security evidence: framework readiness, an MDS2 response, an SBOM, a breach response plan, BAAs. None of it was prepared. The deal slips by months.

The Solution

The Inoculis Method: Strategy, Selection, Stewardship.

01

Strategy

A senior advisor maps your company-side IT, security, and compliance roadmap against hospital, lab, payor, and provider customer requirements. Two-year horizon, one-page output. Your "do not buy" list comes out of this session.

02

Selection

We select the company stack: identity, SaaS, network, QMS, inventory, file storage. One identity surface. One QMS. One audit trail. We coordinate with R&D and Quality on the device-specific artifacts (MDS2, SBOM, IEC 62304) but ownership of device-side answers stays with engineering.

03

Stewardship

A fractional CIO and CISO seat in your weekly leadership cadence. We oversee the MSP. We sit on your side of the table when vendors pitch. We help you spend on what is needed at your stage, not what the vendor’s quota requires.

What we do, and what we do not do

The boundary, in plain language.

What we do

  • Choose and operate the company’s IT, identity, network, and SaaS stack
  • Help select the QMS, inventory, and document management systems
  • Build the company-side evidence library for hospital and lab vendor security reviews
  • Coordinate with R&D on MDS2 (we prepare company-side answers; R&D prepares device-firmware answers)
  • Oversee MSPs and cybersecurity vendors so the budget stays honest
  • Provide senior fractional CIO and CISO leadership
  • Coordinate compliance readiness for HITRUST, HIPAA, ISO 27001, SOC 2, NIST 800-53

What stays with R&D, Quality, or Regulatory

  • Device firmware and embedded software security
  • DHF, DMR, RMF authorship and version control
  • FDA premarket cybersecurity submissions and Section 524B authorship
  • SBOM generation for device software
  • IEC 62304 software lifecycle execution
  • Clinical study operations, regulatory submission strategy, FDA negotiation
  • Audit certification (auditors certify, we prepare)

Five ways to work with us

Pricing without the sales call. The first tier is free.

Tier 0

Readiness Call

Free

Duration
30 min
You walk away with
Three risks named in your stack
Risk mitigator
Zero commitment

Tier 1

Day-Zero Diagnostic

from $1,500

Duration
1 week
You walk away with
Stack recommendation, 12-month roadmap, and "do not buy" list
Risk mitigator
Fixed scope and price

Tier 2

Compliance Framework Roadmap

from $7,500

Duration
2 to 3 weeks
You walk away with
Single-framework gap analysis, controls inventory, and 12 to 24-month remediation plan
Risk mitigator
Fixed scope and price

Tier 3

Stack Setup Sprint

from $12,000

Duration
1 to 3 weeks
You walk away with
Baseline company-side stack configured for agreed systems, with handoff documentation
Risk mitigator
Fixed scope and price

Tier 4

Fractional CIO/CISO Retainer

from $8,000/mo

Duration
Month-to-month
You walk away with
Monthly fractional CIO/CISO support for agreed priorities, including executive advisory, vendor and security review support, policy work, roadmap execution, and an IT and security operating cadence
Risk mitigator
Scope and cadence defined before kickoff

Start with the level of help you need now. Move from readiness call to diagnostic, roadmap, implementation sprint, or ongoing fractional CIO/CISO support as your company grows.

The Compliance Framework Roadmap covers a single framework; multi-framework engagements happen inside the Fractional CIO/CISO Retainer. Implementation execution is in the retainer, not the Roadmap.

See full pricing details →
Chris Busch, Founder, Inoculis

Chris Busch

Founder, Inoculis

Founder

Inoculis is led by Chris Busch.

Twenty-five years of enterprise SaaS. Built an AI/ML platform on patient data at Elevance Health. Launched an IoT platform at SAP. Ran a digital product practice at Cognizant. Mentor at Stanford GSB and three Silicon Valley accelerators.

Backed by a vetted SME network of former Google, Meta, Amazon, and Cisco engineers, brought in for firewall, network, and specialty depth.

The reason Inoculis exists: I was inside a medical device company’s stack migration that should never have been needed. I do not want the next founder to live it. The full story is on the About page.

Read more about Chris

FAQ

Questions founders ask in the first call.

  • How does this compare to hiring a full-time CIO or CISO?

    A full-time CIO or CISO runs $250,000 to $400,000 loaded, which most early-stage medical device companies cannot defend on the cap table. The Fractional CIO/CISO Retainer starts at $8,000 per month, scoped to what your company needs, with no equity, recruiter fee, or hiring cycle. The full side-by-side comparison is on the For CFOs page.

  • What is your boundary with our R&D team?

    We work on the company-side IT, identity, security, and compliance-readiness foundation. Device firmware, embedded software, MDS2 device-side answers, SBOM generation for device software, IEC 62304 software lifecycle, and FDA premarket submissions stay with R&D, Quality, and Regulatory. We coordinate with those teams; we do not own their work.

  • Do you guarantee certification or audit outcomes?

    No. Auditors certify and audit. We prepare. Any consultant who guarantees a certification is selling something we are not.

  • What if you are not the right fit?

    The retainer is month-to-month. Your first month is half fee. If we are not the right fit, you can end the engagement.

  • Are you local?

    Silicon Valley primary. We work with Peninsula founders in person and life science companies across the US remotely.

  • Can you set up our IT, or only advise on it?

    Both. Inoculis can stand up your environment directly through the Stack Setup Sprint engagement, Microsoft 365, identity, the core SaaS stack, and endpoints, and also provide the senior leadership that keeps it sound as the company grows. Where you want an ongoing help desk, we can run it or bring in an MSP we oversee on your behalf. Our incentive stays the same: keep your tool spend honest.

Final CTA

Thirty minutes. Three risks named. No commitment.

By scheduling a call, you agree that the information you submit will be used by Inoculis to manage your inquiry, schedule the meeting, and communicate with you about our services. Scheduling is provided through Cal.com, which may process your booking information under its own privacy practices.