Why MedTech Needs Specialists with Zoltan Kevei and Saby Toth of Bishop & Co | 70

In this episode of the Med Device Cyber Podcast, host Christian Espinosa is joined by Zoltan Kevei, Founder and CEO, and Szabolcs Tóth, a Regulatory and Quality Expert, from Bishop & Co., a Hungarian software and regulatory consultancy specializing in the MedTech industry. The discussion revolves around the complex and evolving landscape of bringing medical software and devices to market, comparing the regulatory environments of the European Union and the United States, and exploring the role of emerging technologies like Artificial Intelligence (AI) in software development. The guests begin by addressing a major strategic shift in the MedTech industry. Historically, the EU was considered the easier and faster entry point for new medical devices. However, with the implementation of the new, more stringent EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR), this has changed dramatically. Tóth explains that these new regulations have created a significant bottleneck, drastically reducing the number of Notified Bodies available for certification and extending approval timelines to anywhere from 9-13 months, sometimes even up to two years. This has led many innovators to pivot their strategy, targeting the more stable and predictable US FDA approval process first, despite the US being a larger and historically more challenging market. They emphasize that navigating this landscape requires deep, specialized expertise, framing the process with the adage, “it takes a village” to successfully bring a product to market. A significant portion of the conversation focuses on the integration and impact of AI in software engineering. Both guests offer cautionary perspectives, arguing that while AI is a powerful tool, it is not a substitute for human expertise. Tóth uses the compelling analogy of a power drill: it is an excellent tool that makes a carpenter more efficient, but it does not make a novice into a carpenter. Similarly, AI can augment the work of experienced engineers but can lead to significant problems if relied upon without expert oversight. Kevei warns that teams relying too heavily on AI can be led "into the deep forest," producing inefficient or flawed code that costs a great deal of time and money to fix. This underscores the critical importance of keeping a seasoned human expert in the loop to guide development and validate AI-generated work. They also touch on the trend of companies using "AI" as a buzzword to attract investors, which can unnecessarily complicate regulatory pathways and add scrutiny to projects where a simpler, deterministic algorithm would have sufficed. The consensus is that innovators must be diligent and strategic, engaging specialized partners early to manage risk, ensure quality, and navigate the complex journey from concept to market.

Christian: There's a statistic that on average it takes a medical device manufacturer seven years and 35 million dollars to bring a product to market. Szabolcs: Europe was the first go-to place to enter. Now, since the EU MDR, IVDR came in, it kind of changed around. Christian: Sounds like a lot of people have shifted their strategy to get to the US market first. Zoltan: whole teams are driven into the deep forest by the AI, so it can cost you a lot if you rely too much on these technologies and you are not trying to use your years of experience. Szabolcs: AI is a very good power tool for experts. The way I see AI is the way I see the power drills. It's not going to make you a carpenter. Christian: I think it's interesting that we're seeing more specialists because it is very different than the traditional hardware. Christian: Hi, welcome back to another episode of the Med Device Cyber Podcast. I'm your host, Christian Espinosa. Today we have a couple guests from Bishop and Company. They're coming to us all the way from Hungary. I'm not sure what town of Hungary. I've only been to Hungary once, when I backpacked around Europe. I went to Budapest. So we got uh Zoli and Sabi. And maybe you could give a little bit of background about yourself. I know you do software engineering and regulatory strategy in the EU and some in the US. And we've got a pretty awesome conversation planned today. So maybe you could start off by introducing um your organization and a little bit about both of you. Zoltan: Uh so first of all, we're not in, we're not located in Budapest. Actually, we are located in different cities. Szabi is in Győr. Myself and majority of the team are, we are located in Szeged, south part of Hungary. So yeah, Bishop and Co. Bishop and Co is a software software outsourcing studio or software outsourcing consultancy. And uh, we're mainly focusing on on on, yeah, probably from end-to-end solutions in in software engineering. From regulatory and from even business analysis to to deliver a an end product. Uh, and actually what, what I'm rather responsible for the software engineering part, and Szabi is mainly responsible for the regulatory part. So that's why we are both of us are here together. Um, Szabi. Szabolcs: Hi, my name is Szabi. And uh, you know, I've been working in this industry for almost 15 years now, uh, mainly focusing on the regulatory and the quality aspect of uh medical devices, and mainly specialized on medical software. So that's I would say like a little bit of niche around my expertise. And uh, I think it's a pretty exciting industry to work in because, you know, as you know, you know, there is a growing medical device industry nowadays, especially in the software side. And I think there is like a special need because of the nature of software. So, and it's constantly growing and it's, you know, it's a never ending, you know, learning curve, you know, for everyone, um, you know, including both uh us and even the regulators so, so I think it's a pretty exciting area. Christian: Awesome. I had to look up uh where I think he said Szeged, right? It's on the very, it's on the border, right, right by the border there of uh, looks like you're bordering uh, Serbia and uh, Romania. pretty close to both of them, It's right kind of in a triangle there. Zoltan: Yes, that's where I am located. And Szabi is closer to Slovakian and Austrian border. So we're like three Oh, okay. Christian: So you got the, you got the op, you got the north, you got the opposite directions of the country covered. Szabolcs: Yeah. Zoltan: Yeah. Zoli’s located in the southeast corner. I'm located in the northwest corner of the country. Christian: Right. Awesome. Zoltan: But it's not a big country, mind you. Christian: Yeah! Yeah, I just did the Euro Pass in Europe back uh, after college, you could buy like a 30-day pass for the train, the European train, and just kind of travel around wherever the train went uh for 30 days and then you had to buy a new pass. So that's, that's what I did. And uh I, I only went to Budapest, I don't, I didn't check out anywhere else. But uh, it was awesome. Szabolcs: Next time you come around, you let us know and then we show you some other parts as well. Christian: Yeah, I, I kind of like going to just like, the bigger cities are all kind of the same across Europe and across the world. I think the smaller cities have more of a, like a cultural sense to it, and just a little nicer as well, a little cleaner and not as dirty and all that. Zoltan: Yeah, and it's more dense in culture. So if you like, like travel 100 miles away, it's a completely different country with a completely different culture as well. So. Christian: Yeah, it's kind of like that in the U.S. I don't know about a hundred miles, but maybe a little bit more. But yeah, similar over here. So, I know like, um, a couple things we were going to talk about is some of the regulatory attitudes. I think there's a lot, a lot of curiosity like, what is it like to try to get something approved in the EU market versus the US market? Uh, is that something you can uh, provide some color to, um based on your experience? Szabolcs: Yeah. So, uh, from a regulatory aspect, uh, as probably most of the people know that the, uh, the landscape changed a lot since the EU MDR and the IVDR in, you know, in the EU. Before that, Europe was, I would say, the first go-to place to enter, and US was always so-called the, the hard market to enter. So people, you know, tend to go to EU first. Uh, now since the EU MDR, IVDR came in, it kind of changed around. Uh, not because one of them is easier, the other one is, is more like because it's, I would say now the two markets are very similar regarding the, the requirements you have to fulfill to comply. Um, I think the huge difference that the US has been like this for a long time, so it's kind of stable. While in the EU, uh, the regulatory bodies and everyone is still kind of learning this, uh, new landscape, plus, you know, as we know that there used to be 120 notified bodies under MDD. And when the new EU MDR came in, then that number went down to 19. And I think we're up to like 51 or 52 notified bodies now. And for that reason, there's, you know, there's a huge bottleneck. And so for that reason, while in the US, you know, FDA usually says like, you know, you have like a, for example, with 510(k), it's a 90 days. In, in the EU right now, you're looking at a much longer period, uh, which is measured in, I would say, quite a few, couple of months. I think the last statistics I saw it was around, uh, somewhere between 9 to 13 months to get to the market. Uh, and obviously, you know, sometimes you can do less, sometimes, you know, it takes much longer, even up to two years, depending, you know, how well you prepare the Christian: So, the US, uh, a lot, it sounds like a lot of people have shifted their strategy to get to the US market first because of the, the time to market and some of the, I guess bottlenecks like you said, the less notified bodies and things of that nature in, in the EU. Szabolcs: Yeah. And I, let's be honest. Um, US is still one of the, the biggest market. And, you know, it's, you know, so for that reason, people like to aim for the, the big game. Let's, let's put it this way. They have to put the effort in it. Zoltan: Yeah. One language, one market, easier to enter. Yeah, one strategy could work. While in, in Europe, it's a bit more saturated. Christian: Yeah, and even though it's the EU MDR, you've still got the nuances within each country. I mean, in the United States, we have states, but the differences between state to state is, is not that much from a healthcare perspective. Not, not as much as like Germany and France, as an example, or Germany and the UK, or Hungary and somewhere else either. Szabolcs: Yeah, correct. I mean, uh, to be honest, I would say mainly is the same now because of, of, of these centralized European regulations. Uh, but there is, as you said, there's a little bit of nuances on top of that, you know, that you have to comply, you know, slightly different on each country. But the countries are trying really hard to kind of stick to the, to the mainstream because it's, it's hard already in its own. But yes, you're right. There are some, you know, minor differences here and there. Christian: When do, when do most clients engage uh your organization on their med-tech uh journey? Like from a software development perspective as well as a regulatory because I, I know you said you do both. Zoltan: If we meet, if we meet them first, then they are in a trouble because, uh, so if they start to figure out the regulatory part and then they just going to go like, "Oh, okay, we're going to make it, and then, ooh, we need some help in, in software engineering." That's sometimes it's too late. So, sometimes it's the other way around that, okay, from regulatory perspective, we need to, we need to, to, to check it, and we need to lend a hand and give them some help, and then it comes that, okay, we know how to do the software engineering part in, in, in regulatory, to meet the regulatory standards as well. Szabi, am I correct? Szabolcs: Yes, you're right. And, and to answer your question, it varies. You know, every now and then, you know, some, you know, clients comes to us at pretty early stage when they're in the concept stage. And, I have to admit, that's, I would say it's almost the ideal part because when you're at such an early stage, you figure out what you want to do. It's also good to consider the regulatory strategy, the effort it will take, including the, you know, the design and development. It's, you know, then it's almost like, you know, you do your planning, you know, well ahead, and you can calculate with the cost and everything and the timeline. And we know nowadays, you know, time is, is crucial because, you know, things are different and things are a little bit more agile. Uh, but obviously, we sometimes come across companies who already have their product ready, they have everything ready, and they say it's like, okay, we're ready to hit, hit the market. And then we start asking the questions and then they we realize that, well, you're not really ready. And, I probably familiar with that. Like, one of the biggest things nowadays, like, FDA and, uh, the European Union starts focusing on, on the cybersecurity matters because, you know, this, this was a field that was, uh, mistakenly overlooked for a long period of time. Everyone thought is like, "Yeah, cybersecurity is just an afterthought." And, uh, no, not really. And I don't think they understand the complexity of that, that field and, and the time it requires to prepare. And not just the documentation, because usually the only time you can do the documentation part once you done the technical due diligence before. Christian: Yeah, it's uh, it's, I think it's still is an afterthought too often unfortunately. And it's an expensive afterthought because design decisions, if they don't consider cybersecurity, have to be redone. You have to do rework and redesign things, which costs uh, a lot more money and more time and delays to market, and it's frustrating for everybody. So, part of our mission at Blue Goat Cyber is to help raise that awareness and get people to start thinking about cybersecurity early on because they can spend, you know, a few thousand dollars, uh, with some consulting with us as an example, and avoid a few hundred thousand dollars in rework and delayed time to market and all that later on. It's probably similar from, from a regulatory perspective with with you guys as well, I imagine. Szabolcs: Yeah. We've seen, we've seen that too many times. Uh, we, and believe it or not, we have seen that with uh regulatory consultants as well because, uh, I would say, still most of the, you know, industry is heavily, you know, hardware-oriented. So most of the regulatory and quality consultants come with a, a hardware background. And obviously, you know, everyone is, you know, trying to get, you know, more work. So they tend to say that, "Yeah, well, I can do that. There's no problem." But, uh, you can see that when someone touches medical software with hardware fingers, it's a bit kind of like clumsy. It's like butterfingers almost. It's like it's a bit too, you know. So, you have to have that kind of expertise. You know, you have to understand because, you know, as you can still see, most of the regulations written with hardware in mind. And then, you know, people are struggling, you know, how do I apply this regulation? So, so it works for my software too. It's like, you know, there is a way to do that, but you know, no regulation, no standard will tell you how to do that because they never give you the practical implementation part. So that's where, you know, the experience comes in. And, as you said, to pick the, the right company, I think, you know, talking to them, see if you know, like them, you know, asking the right questions. Um, what I find that if you spend a couple of hours, like, one or two or maybe three or four hours talking to them, like a different sessions when you pick your brain about how they would do something, you will feel if they know what they are talking about because you can't, uh, kind of like, you know, beat around the bush that long. It will come out that you don't know what you're talking about. But if that person is really, really understand the topic, then they will be able to give you so much useful information within those couple of hours. And then, you know, usually I would say what I see that those companies who don't, you know, charge you for those one or two hours at the beginning, are the ones that they know what they're doing. They know that as soon as you start working with them, eventually you're going to sign a contract with them because they're not worried about sharing that information or knowledge with you because they know what they have under their belt is not something that you can learn under three to four hours. Christian: Yeah, we have that experience quite often and our, just, we end up having an initial discovery call, and then we'll have another call later on where the prospect will bring several other people from their team and really try to pick us apart to see if we know what we're talking about. And I can tell they've talked, they've spoken with other companies that didn't have the answers because we've been doing this for a long time. So then they, they're kind of their defenses go down and they're like, "Oh, we know we want to work with your, with your team because you're able to answer everything or most of the things that the other companies they talk to couldn't even answer those things." Zoltan: I agree with Szabi as well. He said right people. And I think that's that's really important. This is really important. So, yeah, at least for a while. Yeah, probably AI is coming, and everyone is going to generate code and generate softwares and generate uh products with AI. But, at least for a while, uh you will need to keep working with people. And I think that's, that's really important to find the right people, even if it's a partner, even if it's an uh, a vendor, the vendor is represented by people, and you need to feel that you can be good with that team. You need to be good with with them and your, they are trying to reach, they're trying to help you to reach your goals. And I think that's really important. And it's still about people. I think people is still really important within this chain. Christian: Yeah, I, I agree with that. And I, I believe it does take a village because, like I mentioned before, if I put myself in a MedTech innovator's shoes, there are so many things to know that it's impossible. I mean, you could probably learn them yourself, but it would take you a really long time, and you still would not be the expert where you could find the right partner, the right team, build the right team of experts, and you can go further and faster and, I think, more cost effectively with less mistakes as well. Szabolcs: And if you think about that's that that is a crucial time that you lose. And as you said, like, nowadays, I, I think I agree with you that considering, I mean, comparing hardware to software, software is, is easier to, to, to actually design and develop and get something ready, um, than, than hardware. Uh, maybe I'm saying that because I'm a software guy, not not hardware-focused, but, so I am, so I might be a bit biased here though, I have to admit. But, uh, I fully agree with you, like vibe co, vibe coding will allow people to, to speed up some of the stuff, but it will not change the fact that remember, if it's a medical software, it has to be, kind of like, you know, receive a certain clearance or approval depending on which market you're talking about, to go to the market. And what I find very often, very often, you know, people are super smart and because, you know, usually these are like super smart engineer or, you know, doctors, you know, they team up with awesome product ideas and, and great the medical software, but first of all, we struggle for weeks to try to define the software requirements that, you know, they're gonna use to test against and something like that. And if you can't put your, you know, this documentation in a way that you can convince an FDA auditor that you've done your, you know, all your checks and balances and your product is safe. No matter how great that product is, that's just going to sit on your server and not going anywhere and not going to generate any revenue, so. And that can take time. Zoltan: Yeah. It's improving in a very, very fast pace. So this is why we, we, we should keep our eyes on it because it's probably not there yet, but it's, it's getting better, and it's getting better pretty fast. And, if you, if you use it on the right way, it can give you some speed and, and it can speed up the velocity. But, yeah, the difficult part is coming right now. How to find that, that team. Uh, because I know a lot of software engineering firms that has a really bad reputation. And I probably wouldn't work with them either. And, yeah, that's a really good question. Yeah, we having a I think references, Christian: Like you mentioned, the innovator's cousin or brother does software development, and we've got the same challenge where prospects will pick a cybersecurity company that doesn't focus on MedTech, as an example, because they don't understand MedTech, all the nuances and the types of testing and patient safety lens versus data protection. They don't understand all the, all the nuances of that. So they'll choose like a what we like to call a traditional cybersecurity firm that doesn't understand MedTech. And that was a poor decision and it usually gets them in trouble and they have to end up spending money twice. Like, find someone like us to fix the problems that the other company didn't know how to do. And it's probably similar in software development. If you pick a software development firm that doesn't understand MedTech, you're going to not end up with all the artifacts you need or the quality you need to get the device through a regulatory approval. Szabolcs: Yeah, we've seen, we've seen that too many times. And, believe it or not, we have seen that with uh regulatory consultants as well because, uh, I would say still most of the, you know, industry is heavily, you know, hardware-oriented. So most of the regulatory and quality consultants come with a, a hardware background. And obviously, you know, everyone is, you know, trying to get, you know, more work, so they tend to say that, "Yeah, well, I can do that. There's no problem." But, uh, you can see that when someone touches medical software with hardware fingers, it's a bit kind of like clumsy. It's like butterfingers almost. It's like it's a bit too, you know. So, you have to have that kind of expertise. You know, you have to understand because, you know, as you can still see, most of the regulations written with hardware in mind. And then, you know, people are struggling, you know, how do I apply this regulation? So, so it works for my software too. It's like, you know, there is a way to do that, but, you know, no regulation, no standard will tell you how to do that because they never give you the practical implementation part. So that's where, you know, the experience comes in. And, as you said, to pick the, the right company, I think, you know, talking to them, see if you know, like them, you know, asking the right questions. Um, what I find that if you spend a couple of hours, like, one or two or maybe three or four hours talking to them, like at different sessions when you pick your brain about how they would do something, you will feel if they know what they're talking about because you can't, uh, kind of like, you know, beat around a bush that long. It will come out that you don't know what you're talking about. But if that person is really, really understands the topic, then they will be able to give you so much useful information within those couple of hours. And then, you know, usually I would say what I see that those companies who don't, you know, charge you for those one or two hours at the beginning, are the ones that they know what they're doing. They know that as soon as you start working with them, eventually you're going to sign a contract with them because they're not worried about sharing that information or knowledge with you because they know what they have under their belt is not something that you can learn under three to four hours. Christian: Yeah, we have that experience quite often and our just, we end up having an initial discovery call, and then we'll have another call later on where the prospect will bring several other people from their team and really try to pick us apart to see if we know what we're talking about. And I can tell they've talked, they've spoken with other companies that didn't have the answers because we've been doing this for a long time. So then they, they're kind of their defenses go down and they're like, "Oh, we know we want to work with your, with your team because you're able to answer everything" or most of the things that the other companies they talked to couldn't even answer those things. Zoltan: I agree with Szabi as well. He said right people. And I think that's that's really important. This is really important. So, yeah, at least for a while. Yeah, probably AI is coming, and everyone is going to generate code and generate softwares and generate, uh, products with AI. But, at least for a while, uh, you will need to keep working with people. And I think that's, that's really important to find the right people, even if it's a partner, even if it's an uh, a vendor, the vendor is represented by people. And you need to feel that you can be good with that team. You need to be good with with them and you're, you're, they are trying to reach, they're trying to help you to reach your goals. And I think that's really important. And it's still about people. I think people is still really important within this chain. Christian: Yeah, I, I agree with that. And I, I believe it does take a village because, like I mentioned before, if I put myself in a MedTech innovator's shoes, there are so many things to know that it's impossible. I mean, you could probably learn them yourself, but it would take you a really long time, and you still would not be the expert where you could find the right partner, the right team, build the right team of experts, and you can go further and faster and, I think, more cost-effectively with less mistakes as well. Szabolcs: And if you think about that's that that is a crucial time that you lose. And as you said, like, nowadays, I, I think I agree with you that considering, I mean, comparing hardware to software, software is it seems easier to, to, to actually design and develop and get something ready, um, than, than hardware. Uh, maybe I'm saying that because I'm a software guy, not not hardware-focused, but, so I am, so I might be a bit biased here, to, I have to admit. But, uh, I fully agree with you, like vibe co, vibe coding will allow people to, to speed up some of the stuff. But it will not change the fact that remember, if it's a medical software, it has to be, kind of like, you know, receive a certain clearance or approval depending on which market you're talking about, to go to the market. And what I find very often, very often, you know, people are super smart and because, you know, usually these are like super smart engineer or, you know, doctors, you know, they team up with awesome product ideas and, and great the medical software, but first of all, we struggle for weeks to try to define the software requirements that, you know, they're gonna use to test against and something like that. And if you can't put your, you know, these documentation in a way that you can convince an FDA auditor that you've done your, you know, all your checks and balances and your product is safe. No matter how great that product is, that's just going to sit on your server and not going anywhere and not going to generate any revenue, so. And that can take time. Christian: Awesome. Well, thank you so much for joining us today uh on the Med Device Cyber Podcast. And thanks everyone for tuning in. And we hope to see you on the next one. We hope you found this episode valuable.