The Biggest Mistake MedTech Founders Make (Hint: It’s Not the Tech)
Most MedTech founders think the hard part is building the technology. Darcy Bachert, Founder and CEO of Prolucid Technologies, has spent 17 years proving them wrong.
Prolucid is an ISO 13485-certified software development firm in Toronto that works with MedTech companies across North America, Europe, and Australia, taking products from concept through FDA approval. And in that time, Darcy has seen the same mistakes over and over.
The biggest one? Lack of clarity.
“Founders know what problem they want to solve. They understand the clinical need. But some don’t understand how physicians will actually use the device in a real workflow. They don’t think about reimbursement strategy early enough. They don’t build quality management systems from the beginning. And they treat cybersecurity as something to add at the end instead of building it in from day one.”
It’s not about bad code or lack of funding. It’s about building something that solves a problem nobody has. Or building something physicians won’t adopt because it adds complexity instead of making their lives easier.
The 7-Year, $35 Million Journey to FDA Clearance
“I don’t know if there’s as much awareness about how much different it is to build a medical product than to just create a product,” Darcy says. “There’s so much more that goes into it just from a planning, from a process perspective.”
On average, it takes 7 years and $35 million to bring a medical device to market. That’s a far cry from the “move fast and break things” mentality of consumer tech.
“When you tell a lot of people trying to break into the medical startup space that you’re likely not even going to see your product on the market for close to seven years on average, that’s a surprising figure to a lot of people,” Darcy explains.
The journey is long and arduous, with multiple stages of clinical trials, regulatory approvals, and quality management systems that must be built from the ground up. And the work doesn’t stop once the device hits the market.
“It’s not like you just, you know, throw the app out, start getting generate revenue, build as you go, test as you go. There are very clear steps you have to follow. And then once it’s on the market, you have to make sure it’s secure. You have to make sure it’s updated.”
The Importance of Choosing the Right Software Development Partner
One of the key decisions MedTech founders face is who they’ll partner with for software development. And Darcy says this choice can make or break a product.
“Before we had our ISO 13485 certification, going back a decade, we did follow IEC 62304, but we found that most of the companies we worked with were local in that they were fine with us not having everything. But as we got our full 62304 or 13485 certifications, that really launched the international side of our business.”
IEC 62304 is the international standard for the medical device software lifecycle. It outlines the requirements for planning, implementing, and maintaining software used in medical devices. Choosing a development partner that is certified to this standard and has a proven track record in regulated industries is crucial.
“The amount of expertise and knowledge that you bring around all these different best practices just it it really changes things. And so, you know, before you have it, you’re not really sure what the impact is, but after having it and having that track record that goes with it, it really makes a huge difference.”
Building Quality and Security from the Start
Beyond just software development expertise, MedTech founders need to ensure their partners have robust quality management systems and security practices in place from the very beginning.
“It’s not like you just, you know, throw the app out, start getting generate revenue, build as you go, test as you go. There’s very clear steps you have to follow. And then once it’s on the market, you have to make sure it’s secure. You have to make sure it’s updated.”
Darcy explains that Prolucid is ISO 13485 certified, which means they have a formal quality management system, procedures, plans, and processes to ensure consistent, high-quality work. This level of rigor is essential for navigating the FDA approval process.
But quality is just one piece of the puzzle. Cybersecurity must also be built in from the very beginning, not bolted on at the end.
“Cybersecurity must also be built in from the very beginning, not bolted on at the end. You have to make sure it stays secure. You have to make sure it’s updated. There’s going to be new features that are required.”
Failing to address security upfront can have disastrous consequences. As Darcy puts it, “if your device is hacked, it could kill a patient or harm a patient. It’s much more risky than somebody stealing a credit card number, for instance.”
Avoiding the “Pentest Puppy Mill” Trap
When it comes to cybersecurity testing, Trevor Slattery, Blue Goat Cyber COO, warns against the “pentest puppy mill” approach: quickly running automated scans and dumping the results into a report template.
“We have seen in the past a couple of companies reach out to us, ask for assistance with the cybersecurity process. We say, yeah, this is what it takes for us to do it, from a, you know, manual-intensive process, and they say, well, this guy over here can do it for a much lower price. and then they’ll use those results, and the FDA is going to reject it for lack of sufficient testing.”
The FDA requires a much more rigorous, comprehensive approach to security testing. Anything less will get rejected, forcing the company to start over from scratch.
“They don’t see that it’s done against patient harm as a primary metric. They don’t see complete coverage of the system. They don’t see that it includes the depth of testing that is required for a medical device. They don’t see the right documentation around it. And so it really is then, you know, coming back to the drawing board from the ground up.”
Leveraging Accelerator Programs and Investor Networks
To navigate the complex MedTech landscape, Darcy recommends that founders take advantage of specialized accelerator programs and investor networks.
One such program is MedTech Innovator, with which Prolucid and Blue Goat Cyber partners. MedTech Innovator selects around 40 companies per year from over 1,500 applicants, providing intensive mentoring, pitch competitions, and other resources.
“They are really challenging all those things as part of the program. Not just what is the core technology, but they’re looking at the team. How good is this team? How open to feedback are they are? How strong of a product market fit do they have? Do they understand reimbursement? Do they understand regulatory?”
The results speak for themselves – over 90% of MedTech Innovator alumni are still in business, acquired, or went public.
Espinosa has also seen investors shift their strategies to focus on these types of accelerator programs. “I know some investors who have changed how they invest, and they’re only investing in alumni or people in the medtech innovator program, as an example, or some sort of accelerator program because they have much higher success rates.”
The Canadian MedTech Ecosystem
Prolucid is based in Toronto, which Darcy describes as the “mecca in Canada for medtech.” The city, along with the broader “Kitchener-Waterloo region,” has the largest concentration of medtech companies in the country.
Montreal also has a really strong medtech startup scene. They do quite a lot of AI work there as well. It’s a bit of a hub not just for medtech AI but AI in general. And then as you get beyond that, there are smaller regions, Vancouver, Calgary, some on the east coast, but this would be, I think, you’d consider it the largest hub for medtech in Canada.”
While the Canadian and US medtech markets have some differences, Darcy believes the fundamentals are quite similar. The key is finding the right partners, whether that’s a software development firm, an accelerator program, or investors who understand the unique challenges of the industry.
Advice for MedTech Founders
As Darcy and the Blue Goat Cyber team wrap up our discussion, they leave us with a few key pieces of advice for medtech founders:
- Don’t invent your problem. Spend time understanding the real clinical needs and how physicians will use your device in their workflows. Don’t just iterate quickly and hope something sticks.
- Build quality and security in from the start. Invest in a robust quality management system and cybersecurity practices upfront. Don’t try to bolt them on later.
- Leverage the right partners and resources. Take advantage of accelerator programs, investor networks, and software development firms with deep expertise in regulated industries.
The MedTech journey is long and challenging, but with the right approach and support, founders can navigate the path from idea to FDA clearance and beyond. By focusing on clarity, quality, and security, they’ll be well on their way to creating products that truly make a difference for patients and clinicians.
Key Takeaways
- The biggest mistake medtech founders make is a lack of clarity – not understanding how physicians will use their device or failing to plan for reimbursement and regulatory requirements.
- It takes an average of 7 years and $35 million to bring a medical device to market, a far cry from the “move fast and break things” mentality of consumer tech.
- Choosing a software development partner with expertise in regulated industries and certifications like IEC 62304 and ISO 13485 is crucial.
- Quality management systems and cybersecurity must be built in from the very beginning, not bolted on at the end.
- Leveraging accelerator programs like MedTech Innovator and investor networks that understand the medtech landscape can dramatically improve a startup’s chances of success.
- The Canadian medtech ecosystem, centered around Toronto, is a thriving hub for innovation, with Montreal also emerging as a key player.
To learn more about Blue Goat Cyber’s cybersecurity solutions for the medical device industry, schedule a Discovery Session. And be sure to connect with Christian Espinosa (LinkedIn) and Trevor Slattery (LinkedIn) on LinkedIn.