Skip to main content
    Back to episode
    Episode 25 · June 17, 2025 · 38m listen · 7,358 words · ~37 min read

    From Concept to Compliance: A Guide to Med Device Approval | Ep. 24 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 25 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    In this episode of The Med Device Cyber Podcast, Mark Swanson and Steve Gumpertz from QRX Partners guide listeners through the complex world of medical device regulatory approval, emphasizing the critical role of robust quality systems and early expert engagement. They offer invaluable insights for product security teams, regulatory leads, and engineers, particularly those in early-stage MedTech startups. The discussion highlights common pitfalls, such as misinterpreting FDA guidance and underestimating the time and financial investment required for compliance. Swanson and Gumpertz delve into the nuances of device classification, the intricacies of 510(k) and De Novo pathways, and the challenges of defining “cyber device” in the context of evolving software and connectivity standards. The conversation also explores the rapidly changing landscape of AI and machine learning in medical devices, contrasting the regulatory approaches of the US and Europe and underscoring the importance of understanding standards like ISO 13485 and IEC 62304. Listeners will learn why proactive regulatory strategy and expert consultation are essential to navigate the intricate journey from concept to market.

    Key takeaways from this episode

    • Early engagement with regulatory experts is crucial for medical device startups to navigate complex pathways and avoid costly delays.
    • Misinterpreting FDA guidance, particularly regarding device classification and the definition of a “cyber device,” is a common pitfall that can lead to significant setbacks.
    • Even devices with inaccessible firmware or basic display screens are often considered “cyber devices” by the FDA, necessitating comprehensive software and cybersecurity documentation and testing.
    • The rapidly evolving nature of AI and machine learning in medical devices presents unique regulatory challenges, with a key distinction made between AI as a development tool and AI implemented within a device that learns in the field.
    • Proactive quality system development and adherence to applicable standards such as ISO 13485 and the latest amendments to IEC 62304 are fundamental for successful regulatory submission.
    • Preventive action and early consultation are far more cost-effective than corrective action and arguing with regulatory bodies like the FDA.

    Topics covered in this transcript

    Full episode transcript

    Page 1 of 9· Paragraphs 1 - 5
    Hello and welcome back to the Med Device Cyber podcast. Today we're going to be talking about some of the key regulations that are applicable to medical device cybersecurity, and some conversation about quality systems and making sure that you have a secure quality system, something that is well-designed so that you're compliant through any regulatory approval processes that you need. We're joined here today by Mark Swanson and Steve Gumpertz from QRX Partners. How are you guys doing today? We're good, doing well. Awesome. You guys are up in Denver, right? With a little bit of rain, a little bit of fog. Yeah, we're at the ASQ WCCQI conference, the ASQ World Conference on Quality and Improvement. So, that's where we're at. Very nice. Yeah, we haven't been to that one. I know we went to RAPS in Long Beach last year, that was a pretty good event. But yeah, typically we're at the LSI device talks events like that. But we just got off of a stint. I think we were at three conventions at once, and so everyone was flying all over the place and nobody was really sure where anyone was. But I think I'm in my fourth in four weeks. Oh wow. It's good that I even could figure out what city I'm in. I know. Yeah. Sometimes I wake up and I'm just like, where am I? I'm in a hotel somewhere, that's as far as I know. Yeah, I'm talking at all these conferences and it's just funny, people come up and go, 'Oh, I just saw your talk,' and I have to go, 'Which one?' Yep, exactly. That was my March, too. I was at a couple different ISO meetings with TC210 in Japan, and then over to Paris for TC 176 on 9001. So, very nice. Well, I'd love to hear a little bit about what you guys do at QRX Partners and then some background on yourselves as well. Sure. So, QRX, it focuses obviously, as the letters would imply, on quality and regulatory. Although it typically goes in the other order, where we work on regulatory first and then figure out the quality constraints or requirements according to the regulatory plan. We've been in business for five years, based in the Twin Cities in Minnesota, but we have a global presence. Our primary focus is on smaller companies, particularly early stage. We find that those companies are often underserved in getting the guidance they need. You know, it's usually a couple of really smart engineers or doctors and they have a great idea for a new device, and they have zero understanding of the regulatory pathway ahead of them. They're in this mode of, they know they need money, but they don't even know how much to ask for and how it's going to be staggered. And that's where we help them figure out, look, we understand. You know, sometimes in their exuberance, they're like, 'Yeah, we got like two credit cards between us, we're going to max them out.' And you know, 'What, six months and we'll be on the market, right?' And then we come in and say, 'No, you're really looking at, you're going to need like three, four million dollars and this is going to take you two to three years.' But we'll help you understand that pathway, where the pauses might be, when you'll have to go out and get more funding, and then how do we find you the best pathway through the regulatory bodies and then get them set up with a quality management system. Because Steve and I have both been at the large companies and so we understand all of these different pieces and bringing that knowledge to the smaller companies. I mean, there's nothing worse than, you know, because it takes longer time, you run out of money and you can't bring your product to market. And so, we want to avoid that for those small companies, help them get there quickly, using our expertise. A really interesting statistic that I heard, and this was just from one investor, but we were talking with him about his portfolio. He's focused on MedTech startups and mostly mostly in that early stage, seed round, Series A. And he was saying that 93% of his portfolio fails. Not surprised by that. Yeah, I know. And it seems crazy to think of, but I guess that 7% is successful enough to offset those 93%. Some of that is going to be it just doesn't pan out, right? The technologies or the benefits don't pan out relative to what's on the market today, what we call the generally recognized standard. Just my humble opinion. But it's those companies that can't get there fast enough, right? So they're working on something but somebody else is working on it too, and that other company gets more funding or whatever. You know, that type of thing happens, they don't have the right expertise, all those types of things.
    1 / 9