Episode 22 · September 16, 2025 · 38m listen · 4,531 words · ~23 min read

Overcoming AI and Data Security Challenges in MedTech with May Lee | Ep. 37 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 22 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of The Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by May Lee, a consultant from CS Life Sciences with extensive experience in the medical device industry. May Lee shares her background, which includes an engineering degree from Arizona State University and over a decade of work with companies ranging from startups to large corporations like Philips and Cochlear. Her current specialization is in the burgeoning field of Artificial Intelligence (AI) and Machine Learning (ML) within medical devices, guiding companies through the complex regulatory and technical landscapes. The core of the conversation explores the significant shifts occurring in medical device cybersecurity. The panel discusses how the industry is moving away from treating cybersecurity as an afterthought and is now embracing a "secure by design" philosophy, where security is integrated from the earliest stages of the product lifecycle. This change is largely driven by stricter global regulations and a growing awareness of the potential risks. A major focus of the episode is the future threat posed by quantum computing. The hosts and guest unpack the "harvest now, decrypt later" strategy, where attackers steal encrypted data today with the intention of breaking the encryption once quantum computers become powerful enough. This looming reality necessitates a move toward post-quantum or quantum-safe cryptography to protect valuable and sensitive health data in the long term. The practical challenges of implementing these resource-intensive encryption methods on legacy or low-power medical devices are also considered. Furthermore, the episode provides a comparative analysis of the cybersecurity regulations in key global markets, primarily the United States (FDA), the European Union (EU MDR), and China (NMPA). They highlight the differences in approach, noting the FDA's increasingly prescriptive guidance versus the EU's reliance on broader standards. The discussion points out that China's requirements are often unique, demanding specific encryption algorithms and cloud providers, which can force manufacturers to create different versions of their products for different markets. The talk concludes with a strong emphasis on the importance of a comprehensive Total Product Life Cycle (TPLC) approach, including robust supply chain management and third-party risk assessment. The key advice for medical device manufacturers is to engage with technical and regulatory experts as early as possible to develop a clear strategy, ensuring a smoother, more cost-effective path to market.

Key takeaways from this episode

Cybersecurity for medical devices is transitioning from a post-launch fix to a foundational "secure by design" principle, requiring integration throughout the entire product lifecycle.
The advent of quantum computing presents a significant future risk to current encryption standards, creating the 'harvest now, decrypt later' threat for sensitive patient data.
Medical device manufacturers must begin planning for post-quantum cryptography to ensure the long-term security of their products and the data they handle.
Global regulatory requirements for medical devices are not harmonized; the US (FDA), EU (MDR), and China (NMPA) each have distinct and sometimes conflicting cybersecurity rules.
China's market has unique regulatory demands, including specific encryption algorithms and approved cloud platforms, which can complicate a global market entry strategy.
The integration of AI and Machine Learning introduces new layers of complexity for both cybersecurity and regulatory compliance in the medical device space.
Engaging regulatory and cybersecurity consultants early in the development process can prevent costly redesigns and delays in getting a product to market.
A thorough understanding of the entire supply chain, including all third-party software and hardware components, is essential for comprehensive risk management.

Full episode transcript

Hello and welcome back to another episode of the Med Device Cyber podcast. Today we're going to go over some of the global regulations and requirements as well as talk about some pretty interesting things as far as what the future of medical device cybersecurity looks like in a post quantum computing encryption breaking era. I'm your co-host Trevor Slattery joined by our co-host Christian Espinosa and we have a special guest from CS Life Sciences, May. How are you doing today, May? May: Really good. Thank you for the invite. Christian: No problem. Where are you coming from today, May? May: So, I am based in London, um, but I'm actually originally from Arizona. Um, so I grew up in Arizona, Chandler area. I know you guys are based in Tempe. Is that right? Christian: Yeah, I'm in Tempe looking at the Tempe Town Lake right now. Trevor is actually coming to us from Belize, I believe. I think he's at the lobster fest, eating lobster or something. May: Exciting. Jealous. Trevor: It's, it's been a hard week. May: But yeah. Yeah. Um, yeah, originally from Arizona. Um, I did my engineering degree at Arizona State. Um, and then went on to basically working for medical device companies. I've always been in medical device companies for the past, I think, 10, 11 years now. And, um, from startups to like big corporations, like Philips, uh, Cochlear for cochlear implants, and now I'm in consulting. Christian: Awesome. So, I know we have quite a bit to cover today, so we'll, uh, we'll kind of jump into it. Uh, I know, uh, well maybe you can describe a little bit your role with, uh, CS Life Sciences before we jump into our discussion. May: Yeah, definitely. So, my role at CS Life Sciences is quite unique in the sense that we work in the hardware, software team, um, but my specific expertise is related to AI, so artificial intelligence and machine learning. So we are seeing a lot of companies nowadays where they want to incorporate AI, they want to incorporate machine learning into their medical devices. So that's a lot of different competing regulations. So what I do is I help them kind of parse out the requirements that they need to meet, what are the absolute musts, what are nice to have, what are future considerations. So really, um, we work with any level of companies from startups out of a university spinout or, you know, a bigger corporation that just needs a little bit extra guidance, um, in terms of the technical support. Christian: Cool. Uh, so let's, um, jump into a little bit here. Like from your experience, how do you feel the industry is shifting in terms of cybersecurity and like quantum computing and just like in general? Because I, you, it sounds like you've been in the industry for a while. Like, how do you see things shifting? May: Yeah, so that's a really interesting topic and I think one of the things that people are more aware now is definitely, um, the cybersecurity aspect of compliance. So traditionally, of course, you know, there's hardware, software and you're worried about design control, you're worried about, you know, safety and performance of the device. Um, I think when I started in the industry, I don't think cybersecurity was quite that big of a topic, but now all I'm seeing is, you know, one of the first few questions clients ask us is, you know, what do we do? How do we, how do we make our device more secure? Um, and you're seeing that from the regulators as well, you know, they're coming out with more guidance, uh, guidances, more regulations, standards of secure by design essentially. So it's moving out of thinking about compliance maybe at a later stage or like post-launch security compliance, but now it's really weaving into, weaving the security requirements into design control itself, thinking about those security aspects right from the very start. Christian: You think the industry is actually shifting that direction? Uh, because, I don't know, what do you think, Trevor? I, from our perspective, it feels like maybe it's a shift, but it's like so slow I can't even recognize it. It's like a snail crawling across the sidewalk or something. I don't know. What do you think, Trevor? Trevor: It's pretty gradual for sure. I think that it's, there is a little bit of a shift, but like you said, it's pretty slow. We're seeing some companies try to come in at this earlier stage, but we're seeing still far too many companies, unfortunately, coming to us at the last minute saying, hey, we just weren't even aware this was something we needed to address. We just submitted to the FDA and they rejected us. What do we do now? We're lost. We're not sure where to go from here. And I feel like unfortunately that's still the majority of what we're seeing, but maybe it's down to 80% instead of 90% like it was in the past.

1 / 6