The Hidden Reason Medtech Products Get Recalled (It's Not Quality Issues) with William Jin | Ep. 55

You don't want to spend all of this time, spend all of this money creating a product that you're not actually going to be able to sell in really valuable markets for you. There are 1.5 million companies in China in the medtech space. The Chinese market very quickly moved its way up to the second largest medical market in the world, and it is showing no signs of slowing down. When I'm talking to a lot of Chinese companies in med areas, I get the feeling that a lot of companies are not ready to get to a US market or European market. We always say cybersecurity should be considered from design to disposal of the product, the entire lifecycle. Hello and welcome back to The Med Device Cyber Podcast. I'm your co-host Trevor Slatterie, joined with our other co-host Christian Espinosa. And today we have a very special guest: William Jin. We're going to dive into talking about some of our typical North Star with cybersecurity and then looking a little bit into some of these differences that we see between the US market as well as the Chinese market. Now, before we dive in too far, I'll turn it over to you, William, to give a little bit of an introduction of yourself, a bit of background, and then we can jump right in. Yeah, I was educated as a medical doctor in Shanghai, China, and then I moved into the industry for more than 30 years, working for companies like Medtronic and Stryker. So, right now, I'm pretty much focused on helping overseas medtech companies outside of China, especially with innovative products, enter the China market, as well as supporting Chinese medtech companies if they are willing to go abroad. Awesome. So you're helping kind of both directions: Chinese companies try to get to the United States as an example, and US companies trying to get into the Chinese market. Is that correct? Yes, yes. I started with helping the overseas get into the China market. But now there are more and more Chinese companies finding their way to go to the US and Europe market. But I found the latest data from the China statistic data that Chinese export to Europe and the US, the data actually to North America, decreased in 2025 versus 2024 by about 5%, but to Europe, it increased by about 11%. So, it seems although overall Chinese medtech companies want to go abroad, it's not reflected in the numbers for North America. That lines up with the new tariffs coming in on just about everything imported to the US. So I can't say I'm surprised to hear that. Yeah, I think this is one of the reasons, the tariffs. But I still, when I'm talking to a lot of Chinese companies in med areas, I get the feeling that a lot of companies are not ready to get to a US market or European market. I think not only from an IP perspective—I think that's always the issue about IPs—and also coupled with the commercial knowledge: how to launch your product into another market, especially in a more mature market, and do you have the talent, do you have the knowledge? But right now, like our discussion, I think a lot of medtech products are getting into wireless, getting into iCloud, getting into data, you know, algorithms. Most of them are not ready or fully aware about the cybersecurity and what kind of requirements are outside of China. So, I think all these are the barriers or the challenges for a Chinese medtech company if they are planning to go to the US or Europe. And what are some of the challenges with, let's say, a United States-based company going into China? What are some of the main challenges you see from that angle? From the US to China, right? Mhm. On the market factors, it will be like you understand the local market, you have a local talent. And also the registration time is much longer than in the US and Europe. It takes like 3 to 5 years based on your category: class two or three. Most recently, I feel I have two cases about the data because, for example, you know, some of medtech products are developed under the Google platform. Mhm. So all the associated products are built up on the Google platform, but the Google platform is not allowed in the China market. It's not allowed by the Chinese government. So this product cannot sell the similar exactly the same product in the China market because Google is actually not allowed. And then you need to develop everything from scratch only from some local platforms like Alibaba or maybe Amazon, if available. So you need to do everything from scratch. So this is the biggest challenge for that particular company because they are using algorithms to collect the data. And from this perspective, I think the other challenge is that the Chinese government has very strict rules regarding the exchange of data, patient information, and some other data: how you can transfer it abroad. So some algorithms will not work outside of China. So that's another challenge on the software or cybersecurity side, in addition to the normal ones. The normal is like understanding the local market, registrations, local talent. But this is a new trend; it's a new challenge. Yeah, we always when we're talking to prospects or even clients, we try to get them to reverse engineer the markets they want to go into, because a design decision, like you mentioned, William, to use Google as your cloud platform means that you're going to have to redesign it later if you want to enter the Chinese market. So there's a lot of, you know, you have to look forward and then work backwards, basically, to make sure you're making the right design decisions early on. Otherwise, the ramifications are pretty costly. Yeah, exactly. The question I always ask some medtech startup companies is, although you are small, you just started, but you need to have a mindset what you want to achieve. You need to have a plan, you know. It's similar for a Chinese company wanting to go abroad, go to the US. If you design your product and you never want to go to the US, you only want to sell in China, that's fine, then you follow the local rules. But if at some point or stage you do want to expand your product, your market, into the US or Europe, then you need to plan to start with, especially for those products using data, using iCloud, using algorithms. It's exactly the same thing for a US company or a European medtech company if they want to expand into the China market. Then they need to be thinking about this in their initial design. Otherwise, it will be too late at the latest stage; it's very costly. Do you typically see that startups and companies building a product that they want to have across all these markets struggle more to go from outside of China into China, or the other way, going from China to other markets such as the US or Europe? Yeah, I think it depends on the product. If the product is more, how do I say, lower tech, more consumables, I think China has a lot of advantages. So you see my, you see other Chinese products selling in the US or Europe, and although some of our products may not be using a Chinese brand name, they are actually manufactured in China. If it's a high-tech product, more using algorithms, using data collection, using some more advanced technology, then for Chinese companies, it's pretty difficult to get in. But for US or Europe companies getting into the China market, it's the other way around. If they have a very innovative high-tech product which are very unique, not available in China, or Chinese companies do not have the capability to manufacture it, then they probably have a much easier time than other players to get into the China market, to get registered, get fast-track registrations, get into the China market. But if their product is more like more generic stuff and there's no unique perspective or technology for their product, then it will be pretty difficult to get into the China market, and there are a lot of local competitors waiting for them, and then they may not be able to do well in China. Isn't it also true that with the NMPA, they have, I mean, understandably, some favoritism towards Chinese companies? So, say American and Chinese companies are creating a similar product for regulatory approvals process timelines. Aren't they generally going to fast-track the Chinese companies a bit more? It's more based on the technology they provide for the fast track. But for the Chinese company and outside of China's company, the path is different because one is local manufacturing. They need to see your local manufacturing site. Make sure you know everything, you follow the rules, procedures. That's the so-called local manufacturing license. But for the US and Europe company, if they want to get into the China market, they use a so-called import license. So they follow the rule that they are using the data, some of the clinical data you have already done in Europe and the US, maybe that can refer to China. If not, they may ask you to do some additional test clinical trials for Class 3 product. So what you mean, I think some of the different treatments for the local manufacturers and importers' products are more during the commercial stage, like government tendering. When you go to the VBP, then there's a difference. And Trevor, you often say that China and the NMPA has more stringent cybersecurity requirements than the FDA. Do you mind elaborating on that, and maybe we can get William's perspective on that also? I think that the cybersecurity requirements are very unique compared to other regulators. A lot of not necessarily more stringent, but more unique. Is that what you're saying? They're definitely very strict. I think in general, the FDA seems to be the most strict about how they want things done. There's not really any room for creative freedom with the way that information is structured. It has to be how they want it, where they want it, when they want it. I think what is really distinct with the NMPA is that it is such a divergence from the general standardized cybersecurity regulatory frameworks. And part of that is compliance with Chinese cyber law. There are a lot of, you know, physical requirements like William was mentioning. You can't use Google Cloud, for example. You might have to look for an alternative solution. Certain types of encryption that you have to use in China are disallowed in the US and vice versa. So it is a very different process that you have to follow. That's why we typically say, you know, you're generally going to be building two products and preparing two regulatory filings if you're going to China. Yeah, exactly. I think for cybersecurity or the data perspective, the Chinese government has a lot of rules that are different from Europe or the US. I believe they have other concerns; they have very strict rules, even for data transactions outside of China. So I know a few companies, especially on the pharma side, because they actually share some of the clinical data, patient information, across the board, they have been fined many times. Many companies have been fined for not following the regulations. So the government is very strict on this. So when I see this, if a company wants to sell in China, if you want to follow the Chinese cybersecurity rules, then it's really, basically, you need to build up some other environment because the data you cannot share with others, and then you need to follow a lot of rules which are only regulations in China. So what about the strategy I hear people using where they will get their product that's FDA cleared into the Hong Kong market, which is a special administrative region of China? Because my understanding is Hong Kong will accept an FDA-cleared device, and then after maybe a year, the NMPA will accept the device from Hong Kong. For Hong Kong, yes, Hong Kong can accept. If you have two advanced markets being approved, then they normally accept. They follow those rules. But for mainland China, you need to have other registrations in China for imported products. So it's not like saying you use it in Hong Kong for one year or two years, you can get into mainland China market. No, you still need to, from the beginning, apply for the import license. And I know some companies, for example, continuous glucose monitoring, they use data to transmit into iCloud. So they can use the algorithm on the iCloud and give you some analytical reports and all this. But because in China, because you know, it's not allowed, because once it goes to iCloud, then the data actually goes outside of China, right? You can read it, then it's not allowed. So some companies, I know what they did, is to get the product registered not for the data, not sending it to the iCloud, only sending to your own device. Then you meet the requirements, but you cannot do the mass analysis using the algorithm to analyze the data. What if I were using an Amazon server that is based in China? Would I be able to send the data to that and then do the analysis of the aggregate data? Yeah, that can be done. Okay, that can be done. Yeah, with some other rules, yes, yes. But the case I mentioned is they use Google. So nothing we can do unless you build up another algorithm under Amazon. I think that's part of these really early considerations. That's so important. I know earlier Christian, you mentioned start with your markets in mind, and kind of reverse engineer backwards from there. And I think it's such an important way to go about this. I can think of quite a few calls we've had with clients or prospects where we start diving into the process and we say, "Well, what markets are you looking for? Are you looking just to submit to the US? Are you looking to submit to, you know, the US and Europe? Maybe adding South Korea? What about China?" And I think a lot of manufacturers will give us a response, "Oh, well, we wanted to start with the US, but we really haven't thought about, you know, if we want to go to China, if we want to do any of these other markets." And I always have to tell them, "Now is the time to think about that. You don't want to spend all of this time, spend all of this money burning your runway, creating a product that you realize you're not actually going to be able to sell to in really valuable markets for you." And China being the second largest medical market in the world, it's something that a lot of manufacturers just can't afford to ignore. Yeah, um, it's true. It's true. But one of the things is what I'm seeing in my entire career is, you know, the rules are changing. I think maybe in China, the rules change more frequently than in the US, but sometimes the US changes more frequently than China. But in our medical areas, I can see it changing, changing rules pretty frequently, or you can see it's evolving. I don't know, maybe now Amazon is available in China. Who knows? Maybe sometimes they say, "No, you cannot be," because Google, I remember like 20 years ago or 15 or 20 years ago, Google was still available in China. There were offices here in Beijing and so on and so forth. But later on, Google was banned in China. So they banned everything. I don't know the reasons behind it. But the rules are changing. And also like patient data, the data across the board. So like 15, 20 years ago, no one really cared about this. And then later on, they started to pay attention to data security, patient privacy. Then they started to ask to put some requests behind it. But now the hurdle is increased. So I think it's also changing. It works right now; maybe later it will not work. Who knows? Yeah, I like that idea around how everything is changing. I think that even in the past couple of years has been a really good time for a lot of regulators to start getting caught up to speed with some of the problems that medical devices are facing. Um, they're trying to clamp down on, you know, very big economic pushes. We see Project 2030 in Saudi Arabia, and even there's, I believe, there's a similar project in China more focused around healthcare, which is kind of driving a lot of that growth in the Chinese healthcare market. But I think it's a good thing that they're trying to stay on top of these regulations, making sure that products are safely and securely and, you know, reasonably ethically imported into the country. Everything is following a standard procedure and practice there. Um, but I would also be curious to hear your thoughts on that market growth since I know that the Chinese market very quickly moved its way up to the second largest medical market in the world, and it is showing no signs of slowing down and it's growing much faster than even the US market. So I'd be interested to hear what do you think is driving some of that push and where do you see that going? Yeah, I think China, the overall market, is growing. That's no doubt because of the population. Although the overall population versus the previous decades may be decreasing, it's overall still increasing. The number of senior people is more and more. I think that's no doubt. But the trend right now, what I see, is there are more and more local companies, medtech startups, innovating companies. I got the latest data by the end of last year: for Class 2 and Class 3, they claim if a company claims they are manufacturing or they get approved to manufacture Class 2 or Class 3 medtech product, there are 1.5 million companies in China. Wow, 1.5 million companies in the medtech area. So I see the overall market, the surgery cases or the volume-wise, is increasing; the patients are increasing, that's for sure. But on the other hand, you can also see the government trying to cut down the cost. They're using DRG, DRP, and VBP, whatever they're using different schemes to try to reduce the overall cost. So, value-wise, it's growing, but not at the same level as like volume or patients. And also, in recent years, we see multinationals, after many decades of high growth, right now their growth is starting to slow, even getting to decrease. And they are also looking for some other local innovative products. They may be using these local innovative products manufactured in China, sold in China. So that's the so-called US-China delink, one of the trends. But I do feel, you know, on the cybersecurity and data, for startups, some initial preparation, I feel maybe Trevor, you guys can prepare more case studies, let people know that this is very important. Like I know Baxter just pulled out one of their products because of cybersecurity or these kinds of issues – a respiratory product they pulled out from the market worldwide because of cybersecurity issues. So those kinds of cases, we should let people know, let the industry be more aware. Yeah, we're starting to see like one or two product recalls a week due to cybersecurity, at least in the United States. I subscribe to the FDA recall subscription list, and there are like one or two, it seems, per week now. Yeah. But is it possible to make like a case study or something, or is it not allowed? Because people only read the news saying they pulled out this product. Like Baxter just pulled out one of their major products. They invested a lot in this product, on the respiratories they produced, but if you go deep, that's because of cybersecurity. Yeah, and I think it's really important, it's good to have some information, even like the podcast that we're doing, about what are some of these risks out there. What can happen if you're mismanaging cybersecurity? Your product gets recalled, the FDA can come back at you, and that's assuming you get it cleared in the first place. And then what we're trying to really have a push for is how can you just prevent this from happening in the first place? So that's why we constantly keep the, I think, the constant motto of start early and often with your cybersecurity. Don't forget about it. Don't try to push it to the back burner and wait until a situation like that comes up. Wait until you're forced to have this massive recall since a company at the scale of Baxter, you know, figuring, understanding the cost of not just having that available on the market, but also having to pull that out of the market can be extreme for them. So looking at some easy ways to try to fix that on the front end, I think is a good way to try to bridge that gap. Yeah, I don't know how they put it on the news like the Baxter case, but I read the local news. It's just a recall and a major product recall. So it's a pain for Baxter. But I prefer, you know, if I'm in your shoes, or sitting, trying to educate more industry people, I think the news should say, "Because of cybersecurity issues, this is what happened, this product recall," because people just focus on the product recall itself, but actually it's not the normal product recall. So that's what I'm suggesting. Yeah, like the one for Baxter, I think you're referring to, in November of 2025, that's the Life 2000 Ventilation System. That says that there's a cybersecurity flaw that allowed unauthorized changes to settings, risking critical breathing support failure. Yeah. So, it was permanently recalled. Mhm. Yeah. But you're right. I think a lot of people thought, "Oh, this product is recalled," but they don't actually dig a little bit deeper to realize it was recalled because of a major cybersecurity issue. Yeah, because there are too many news about product recalls. You know, there are many product recalls for some reasons all the time. So I mean, in the local news, what I read, all the news, no one really mentioned that type. Only when you go deep, you know this is a cybersecurity issue. But the news title or all the news just say it's a product recall. But to me, it's not like a traditional normal product recall; this is because of cybersecurity. It's not their product's so-called normal quality. Yeah, I think that one we follow that because I subscribe to the list, and our company knew about it. But you're right. I think developing a case study that shows like, "Here's like in the past quarter, which devices have been recalled from a cybersecurity perspective," is probably a really good idea, because I don't think a lot of people understand the magnitude of the problem we're trying to solve. And I think it's a little different for us. Well, obviously, being in the cybersecurity space, it's all we think about and all we look at. So we go, "Of course, it's cybersecurity." But yeah, William, I think you're totally right. But if you just look at the headlines, which let's be honest, is what most people end up doing, then it just says product recall. You don't know why. You don't know what went into it. You just know you probably shouldn't use that anymore. But getting to the source of it, a, it shows how much of a huge problem this is. But it also gives us a lesson on how we can try to prevent it and fix it in the future. Yeah, industry people get used to product recalls because there are always some product recalls, big or small, severe or non-severe, mostly quality issues or some patient issues, and then they issue the recalls. For you guys, just particularly for cybersecurity product recalls, there are still many cases there. So let people be more aware about this. I think it's the same idea as your books, Christian. It's like initially you mentioned about the vice president Chaney using actually a Medtronic pacemaker. I was in the pacemaker at that time. I know that's a Medtronic pacemaker. And, you know, I also at that time they had programming using the telephone line, can programming a normal patient's pacemaker parameters. So ultimately, I refused to launch it in China at that time. I said, you know, if you lose the telephone line, suddenly broke, who's liable at that time? It's not getting to cybersecurity issues yet, but still there are some liability issues. Yeah, for sure. Well, we're coming up on time here. So I like to kind of go around the room, the virtual room, and ask for last-minute words of wisdom or words of advice to medtech innovators or anyone listening to the podcast. And I'll start with you, Trevor, and then go over to you, William. You got to say something new, Trevor. Well, I think I'm going to steal your new one, and that is start with your markets in mind and work backwards from there. And this is especially, especially, especially important if you're looking at markets such as the Chinese market with really unique requirements. I think that a lot of manufacturers get into the mindset of, "Well, let's just make something and then we'll try to, you know, tweak it, get it through this regulatory process," but you can be going in a completely wrong direction than what can be effective for you. So understand where you're going and then try to build the roadmap to get there. Yeah. Even like a simple "Which cloud provider are we using?" decision would affect your viability in the Chinese market. Yes. Because at the beginning, picking Azure over GCP isn't going to be as major of a shift as migrating from GCP over to Azure. What about you, William? Any last-minute words of wisdom? Yeah, just for me is being in the industry for such a long time, I think the industry people need to be fully aware of the importance of cybersecurity. And there will be more and more innovative products in med areas linked with cybersecurity. And if you want to manufacture an innovative product in that area, please start thinking early, plan early enough, and focus on cybersecurity, otherwise it will cost you tremendous resources and money later on. So that's my, you know, takeaway for this cybersecurity topic. Yeah, it's good to hear that your perspective is the same as ours. We always say cybersecurity should be considered from design to disposal of the product, the entire lifecycle. And I would second what Trevor says about reverse engineering. He stole my saying, I guess. I always talk about reverse engineering the markets you want to get into. So that's extremely important. And we'll wrap up here. So, thanks for tuning in. Thanks, William, for being a guest on The Med Device Cyber Podcast. And thanks everyone, and we hope to see you on the next one. Okay, thank you. Let's see you next time.