Innovating MedTech with AI: Beyond Standards Compliance

Camgenium's CEO Dr Philip Gaffney OBE recently presented at Digital Health World Congress 2025. Dr Gaffney shared his insights into managing compliance risk without compromising the development of innovative medical device-grade products and AI.

Dr Gaffney demonstrated how proactive, defensive design accelerates regulatory approval, protects against liability, and enables innovation in medical devices and AI technologies. Discover the full presentation transcript below.

Standards Verify Process, Not Implementation

• ISO 13485 audits check for documented procedures, risk assessments, design reviews

• ISO 13485 audits DON'T check for cryptographic key quality, memory protection, secure boot integrity

• Annual compliance audits PASSED which confirms you've got through the standard but implementation flaws remain undetected which means medical device developers may be at risk

• The reality: Implementation failures discovered ONLY when something goes wrong with the medical device or product

Regulations and standards are not the same, regulations are the laws you have to comply with in order to sell your product. Whereas standards are best practice and have been driven by industry. Standards satisfy the regulations, if you meet all of the standards you've met the law.

Post-Market Discoveries Prove the Gap

• St. Jude Medical Cardiac Pacemakers (2017-2019): Cardiac Pacemakers recall for cybersecurity, wireless exploitation possible – about 465,000 devices had to be upgraded

• Medtronic MiniMed Insulin Pumps (2019): Vulnerabilities known since 2011, discovered by external researchers, not auditors - about 4,000 devices recalled

• Pattern Across Industry: Security researchers find flaws at Black Hat conferences, not during ISO audits

FDA's Dr Suzanne Schwartz (2019): "Any device can be hacked and that's often not understood... companies are not prepared"

Born from Disaster, Designed to Prevent Recurrence

• Thalidomide (1950s-60s) → FDA drug approval requirements, teratogenicity testing

• Bjork-Shiley Heart Valve (1980s) → 663 deaths → Medical Device Amendments (1976), Design Control requirements

• Therac-25 Radiation Overdoses (1985-87) → 6 patients killed by software errors → IEC 62304 software lifecycle standard,  ISO 14971 risk management

• Insulin Pump Cybersecurity (2011-2019) → 8-year gap before recall → IEC 81001-5-1 cybersecurity standard

Standards codify lessons learnt from disaster.

Primum Non Nocere: First, Do No Harm

It is an ethical requirement to build regulatory compliant medical devices.

• Medicine's fundamental obligation: avoid preventable harm

• "Due care" standard: Did you do everything reasonably possible?

• Standards compliance = necessary but insufficient

• Best practice engineering = demonstrated diligence

• Negligence claims defeated by: Evidence of proactive implementation beyond minimum standards

When developing new medical devices, engineering excellence is an ethical obligation and brings with it competitive advantage.

Everyone is liable when mistakes are made with compliance in the development of medical devices. The doctor, the hospital, the government and the manufacturer. Compliance is key.

• Post-incident: All parties contribute to liability determination

• Standards compliance alone may not protect you

• Need BOTH process compliance AND implementation evidence

• The strategic choice every medical device company makes. Proactive: Higher upfront cost, lower total cost, faster approval. Reactive: Looks cheaper until something goes wrong

Critical: Evidence must pre-date the incident.

Camgenium has developed a preapproved, regulatory compliant software infrastructure for MedTech innovators to build class IIa medical devices.

• The End-to-End medical device compliant foundation layer is already in place, ready for innovators to develop their medical device

• The platform meets the regulatory requirements: IEC 62304 / OWASP / ISO 27001 / HIPAA etc.

• The software infrastructure provides a declaration of Conformity and evidence

• Standards are necessary, not sufficient

• Engineering excellence protects patients and companies, companies need to focus on ethical engineering or they shouldn't be building medical devices.

• The question isn't "should we" but "can we afford not to"

• Cost of doing it right is less than the cost of doing it twice