We sat down with Kell Webber, Information Security Manager to talk about his background, his approach to security in healthcare, and why audits should be seen as opportunities rather than obstacles.
“In a sector as sensitive as healthcare, regulations can feel overwhelming, and at times restrictive, but they shouldn’t be viewed that way. They’re actually blueprints for excellence. When used properly, they support a secure-by-design approach, where security is embedded into systems from the ground up rather than bolted on later.”
Kell Webber, Information Security Manager
Can you tell us a bit more about your background before joining Feedback Medical?
If I go right back to the beginning, I think my interest in technology started when I was a child. I grew up with my nan and granddad, and one day they brought home a computer, the kind with old CRT monitors with dust covers that go over the top. My granddad and I would tinker with it constantly: breaking things, fixing them, and learning along the way. That really ignited my passion for IT and technology.
Academically, I actually went into forensic science. That was my main area of study, and although it wasn’t IT-focused, the passion for technology was always there. In hindsight, forensic science played a big role in shaping how I work today because it instilled an evidence-based, methodical way of thinking.
After my studies, I moved into IT at a local school, starting as an IT technician and eventually becoming IT manager. From there, I joined the Multi-academy Trust, where I focused on information security and infrastructure auditing
One thing that became very clear during that time was that information security isn’t just a technical requirement, it’s a human one. The loss of access to data or a data compromise can have a real and profound impact on people’s lives.
I’ve always wanted my career to help people in a meaningful way, and that’s what drew me to Feedback Medical. What we do here aligns closely with my personal values around making a difference.
Feedback Medical operates in a highly regulated healthcare environment. Can you explain what the auditing process involves and why it’s necessary?
For a medical device like Bleepa®, the information security auditing process is built around three core pillars: confidentiality, integrity, and availability. An audit is essentially a meticulous validation of the controls that govern how the system operates and how sensitive data is processed and protected.
The process verifies everything from our technical architecture through to our internal policies and procedures, ensuring they meet required standards. That gives us confidence in what we’re doing well and highlights where we can improve.
What’s really important is the distinction between compliance and assurance. Compliance might satisfy a regulatory checklist, but assurance is what gives clinicians and users confidence that Bleepa will work safely and securely in high-pressure environments. Assurance means the system is accessible when needed, the data is accurate, and only the right people can access it.
Audits also shouldn’t be seen as just a retrospective look at what’s been done but a proactive guarantee.
That starts at the foundational level, which could be something as simple as a computer usage policy, and scale all the way up to server infrastructure.
Risk mitigation and preparedness are key parts of your role. How do you approach evaluating and managing risk?
Risk management has to be a dynamic process. It can’t just live in a static spreadsheet. As Information Security Manager, and as an internal ISO 27001 auditor, I make sure our risk registers, asset registers, and security reviews reflect what’s actually happening right now within our medical device environment.
One thing I always emphasise is that there’s no silver bullet in information and cyber security. Total prevention is the ambition, but resilience is the requirement. That’s why incident response plans, business continuity plans, and regular exercises are so important, and why they should never be treated as ‘one-and-done’ tasks.
These plans need to be constantly updated and evolve with the organisation. I think that’s something we do particularly well at Feedback Medical: ensuring our preparedness reflects the reality of how we operate day to day.
How do healthcare tech companies balance innovation with strict regulatory requirements?
Navigating the regulatory landscape requires a dual focus. On one side, you need a focus on the global horizon — understanding emerging threats, vulnerabilities, and changes in the security landscape. On the other, you need a deep understanding of the data lifecycle.
In a sector as sensitive as healthcare, regulations like GDPR and ISO 27001 can feel overwhelming, and at times restrictive, but they shouldn’t be viewed that way. They’re actually blueprints for excellence.
When used properly, they support a secure-by-design approach, where security is embedded into systems from the ground up rather than bolted on later.
My advice is to move beyond tick-box compliance. Don’t just aim to ‘pass the audit’ and leave it there. Look beyond the obvious risks, communicate openly across the organisation, and make security requirements understandable and relatable. When people understand the why behind controls, the resistance tends to disappear.
And audits really shouldn’t be feared. They’re opportunities to confirm what you’re doing well and to identify where you can improve. Even when issues arise during an audit, that’s a chance to strengthen your foundations.
I’ll admit – I actually get excited about audits. That might sound strange, but I genuinely see them as a positive process.
My role sits across information security, cybersecurity, and auditing, and all three work together. Cybersecurity impacts information security, information security impacts auditing, and auditing feeds back into both. When they’re aligned, everything becomes much more effective.
Ultimately, security is about enabling the organisation to operate safely and confidently – not slowing it down. When the foundations are solid, innovation can happen securely.
How important is employee awareness and culture in maintaining strong cybersecurity?
Culture is our most dynamic layer of defence. I think of it as a ‘human firewall’. You can have the best technology in the world, but if people aren’t security-aware, you still have vulnerabilities.
I strongly believe in a no-blame culture. If someone sees something suspicious, whether it’s a questionable email or a process that doesn’t feel right, I want them to raise it. I’d far rather someone ask about an email that turns out to be legitimate than stay silent and risk a problem.
At Feedback Medical, people regularly reach out with questions like, “Is this okay to open?” or “Does this look right?” That openness has massively strengthened our security culture.
I also encourage people to pause before sending emails or sharing information – asking simple questions like: “Is this going to the right person?” “Is this attachment necessary?” That small moment of reflection goes a long way in reducing risk.
Read the previous entries in our staff expertise blog series: