Overcoming AI and Data Security Challenges in MedTech with May Lee | Ep. 37 - Full Transcript | The Med Device Cyber Podcast

Hello and welcome back to another episode of the Med Device Cyber Podcast. Today, we are going to go over some of the global regulations and requirements, as well as talk about some pretty interesting things regarding what the future of medical device cybersecurity looks like in a post-quantum computing, encryption-breaking era. I'm your co-host, Trevor Slattery, joined by our co-host, Christian Espinosa, and we have a special guest from CS Life Sciences, May. How are you doing today? "Really good. Thank you for the invite." "No problem. Where are you coming from today, May?" "So, I am based in London. But I'm actually originally from Arizona. I grew up in Arizona, Chandler area. I know you guys are based in Tempe, is that right?" "Yeah, I'm in Tempe looking at the Tempe Town Lake right now. Trevor is actually coming to us from Belize, I believe." "I think he's at the lobster feast eating lobster or something." "Exciting. Jealous." "It's been a hard week." "Yeah, originally from Arizona, I did my engineering degree at Arizona State and then went on to basically working for medical device companies. I've always been in medical device companies for the past, I think, ten or eleven years now. From startups to like big corporations like Philips, Cochlear, for Cochlear implants, and now I'm in consulting." "Awesome. So I know we have quite a bit to cover today, so we'll kind of jump into it. I know, May, you could describe a little your role with CS Life Sciences before we jump into our discussion." "Yeah, definitely. So my role at CS Life Sciences is quite unique in the sense that we work in the hardware-software team. But my specific expertise is related to AI, so artificial intelligence and machine learning. We are seeing a lot of companies nowadays where they want to incorporate AI, they want to incorporate machine learning into their medical devices. So that's a lot of different competing regulations. What I do is I help them kind of parse out the requirements that they need to meet, what are the absolute musts, what are nice to have, what are future considerations. So really, we work with any level of companies, from startups out of a university spinout, or, you know, a bigger corporation that just needs a little bit extra guidance in terms of the technical support." "Cool. So let's jump into a little bit here. From your experience, how do you feel the industry is shifting in terms of cybersecurity and quantum computing, just like in general? Because it sounds like you've been in the industry for a while. How do you see things shifting?" "Yeah, so that's a really interesting topic, and I think one of the things that people are more aware of now is definitely the cybersecurity aspect of compliance. So traditionally, of course, you know, there's hardware, software, and you're worried about design control. You're worried about, you know, safety and performance of the device. I think when I started in the industry, I don't think cybersecurity was quite that big of a topic. But now, all I'm seeing is, you know, one of the first few questions clients ask us is, you know, what do we do? How do we make our device more secure? And you're seeing that from the regulators as well. You know, they're coming out with more guidance, guidances, more regulations, standards of secure by design, essentially. So it's moving out of thinking about compliance maybe at a later stage or like post-launch security compliance. But now it's really weaving the security requirements into design control itself, thinking about those security aspects right from the very start." "You think the industry is actually shifting in that direction? Because I don't know. What do you think, Trevor? From our perspective, it feels like maybe it's a shift, but it's like so slow I can't even recognize it. It's like a snail crawling across the sidewalk or something. I don't know. What do you think, Trevor?" "It's pretty gradual, for sure. I think that there is a little bit of a shift, but like you said, it's pretty slow. We're seeing some companies try to come in at this earlier stage, but we're seeing still far too many companies, unfortunately, coming to us at the last minute saying, 'Hey, we just weren't even aware this was something we needed to address. We just submitted to the FDA, and they rejected us. What do we do now? We're lost. We're not sure where to go from here.' And I feel like unfortunately that's still the majority of what we're seeing. But maybe it's down to eighty percent instead of ninety percent like it was in the past." "Yeah. No, that's fair. I think a lot of what I've seen in terms of the clients that CS gets, I think they're more very much like software development heavy, AI development heavy. And when you incorporate the AI side of things, you know, data privacy protection, security-related concerns might be more at the forefront of their minds. That could be it."