Start QMS Early to Avoid Reverse Documentation with Dr. Basant Bajpai | Ep. 64

Regulatory submissions fail increasingly often due to inadequate cybersecurity documentation, forcing medical device manufacturers to address security requirements earlier in development cycles. FDA scrutiny intensifies around penetration testing, vulnerability assessment, and security architecture decisions, particularly for Software as a Medical Device submissions. Retrofitting cybersecurity into completed product designs imposes severe timeline penalties. Fundamental architecture changes to implement security controls may invalidate existing validation work, requiring complete reverification under new design specifications. The parallel mirrors quality system delays, where addressing requirements late in development costs 6-12 months and substantial consulting expenses. Medical device development complexity increases as regulatory requirements expand across quality management, cybersecurity, clinical validation, and commercialization planning. Limited startup funding forces difficult prioritization decisions about whether to invest in software engineering, quality infrastructure, regulatory preparation, or clinical studies. Deferring any critical component creates downstream bottlenecks. The interconnection between quality systems and cybersecurity compliance grows tighter as both disciplines emphasize documentation, traceability, and evidence of systematic processes. Audit trails protecting quality records parallel requirements for security event logging. Design controls ensuring product safety extend naturally into security architecture decisions. Compliance teams addressing quality requirements must simultaneously prepare cybersecurity evidence. Early engagement with both quality and security requirements prevents expensive late-stage corrections. Founders building medical devices must understand the complete regulatory landscape from the concept stage, implementing foundational systems that scale rather than deferring infrastructure until growth creates urgency. The path to market shortens significantly when quality and security are integrated with product development from the beginning. Episode Breakdown: 00:00 QMS Mistakes and AI Misuse 01:09 Guest Intro: Dr. Basant Bajpai 01:32 Why QMS Is Critical for Survival 02:30 The Biggest Mistake Founders Make 03:30 Why You Must Start QMS Early 04:30 Why Manual Systems Fail Audits 05:30 Build Simple, Scalable Systems First 06:08 Cybersecurity and Quality Go Together 07:00 How AI Is Used in QMS 08:00 Human in the Loop Matters 08:50 AI Risks and Hallucinations 10:00 When AI Can Invent and Why It’s Dangerous 10:45 Don’t Use AI Before QMS Basics 12:30 Regulator Views on AI 13:30 AI in Regulatory Reviews 15:10 The Coming AI Arms Race 17:00 Traceability Challenges with AI 18:20 Why Traceability Must Stay Manual 20:20 AI in Healthcare Risks and Opportunities 22:10 Cost of Delaying QMS 24:00 Reverse Documentation Pain 25:30 Scaling Problems from Poor Systems 27:00 Startup Challenges and Tradeoffs 28:10 Cybersecurity Retrofit Problem 29:00 Regulatory Pressure Is Increasing 30:10 FDA Pushback on Cybersecurity 31:00 Awareness Is the Key Fix 32:20 Key Takeaways for Founders 34:05 AI Should Assist, Not Replace 35:10 Closing The Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity experts providing essential security solutions for the medical device industry. Learn more by visiting https://bluegoatcyber.com. If you're interested in our services or partnering with us, schedule a Discovery Session: https://go.bluegoatcyber.com/meetings/blue-goat-cyber/discovery-session Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Operating Officer at Blue Goat Cyber. Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber/?sub_confirmation=1

Basant: The biggest mistake the MedTech companies does today while they implement their QMS tool, they usually look for a product that is more of a heavy or fancy tool, while what they need is simple tool that is more traceable and that can actually fit their regulatory journey. But the challenge hit when they go for the audit and they fail in the audit because they fail to prove that what they have done is traceable. So I always recommend them, start as early as possible. You do not need fancy systems. What you need is a simple automated system which can suffice your need, which actually can help you build your foundation. And once you build the foundation is easy to scale. What we always recommend, do not use the AI until you fully establish implemented your QMS. Trevor: We don't wanna let AI take ownership over this process. We want to use it as a tool to assist and guide us throughout this process. And I think as long as we're doing that, it's an incredibly effective and incredibly powerful tool. Welcome back to the MedDevice Cyber Podcast. I'm your host Trevor Slattery. Unfortunately, our other co-host, Christian Espinosa isn't able to make it today. He's currently flying back from Seoul after a whole gambit of travel delays. But we are joined here today by a very special guest, Dr. Basant who's coming in from Dubai with Compliance MedQRA. I'd love to hear a little bit about yourself, some of your background, and what you're working on over there. Basant: Hi Trevor. Thank you. Uh, thank you for having me. My name is Dr. Basant. I'm the CEO at Compliance MedQRA. We are located in Dubai. I have a background within, uh, medical devices and I have a PhD within neuro monitoring and neuroscience. We are a regulatory consulting company. We also have an automated quality management system. Well, within MedTech industry, we believe that, uh, the QMS is not just a software, but it's a business system for survival. So having said that, in the current trend of MedTech, uh, services or within within ISO 13485, uh, the tool that that requires for quality management system is not just a tool. It requires for maintaining the traceability, to maintain the the documentation as well as the compliance, which is becoming day, uh, day by day more and more challenging for the medical device companies. The biggest mistake the MedTech companies does today while they implement their QMS tool, they usually look for a product that is more of a heavy or fancy tool, while what they need is simple tool that is more traceable and that can actually fit their regulatory journey. And that's a challenge. What happens, this, normally when we, when we communicate with, with multiple MedTech founders or CEO at early stage, they always ask when they should implement a quality management system. And that's one of the challenge that, that many of the founders that come across at the early stage when they are in the beginning. So, what they have to do, what always what we advise them, that you need to, to start as early as possible, meaning that when they are at concept stage or at the R&D stage, they have to start there because regardless, if they don't start, the design control already does start. So, they have to document that and they have to do that in the control, version controlled manner as well as traceable manner. So, that is something, uh, challenging, especially among the startup and early stage companies. And many of the companies, for example, when they opt for a system, or some of them even go a share drive or Google drive when they, when they use for the implementing the quality management system, but the challenge hit when they go for the audit and they fail in the audit because they fail to prove that what they have done is traceable and there is a sufficient audit trail. The, the documentation is, is done correctly. The different processes has been implemented and those are traceable and documented and according to the different regulatory requirements. But some of the companies are still able to make it by doing excel sheet and doing the documentation, manual work, by hiring multiple people, but that hits them hard when they scale because when they have multiple products, when they have, when they have multiple processes, records, work instructions, that then it hits hard. So I always recommend them, start as early as possible. You do not need fancy systems. What you need is a simple automated system which can suffice your need, which actually can help you build your foundation, and once you build the foundation, is easy to scale. So from day one, if you're a startup, if you, if you're looking for a complex quality management system, you might not have resource to implement it and you might not able to actually accommodate all the processes and black box and processes that are already designed by these QMS providers. What we do as a company, as a solution provider here, we provide a customized tool, an AI integrated tool that design based on where the MedTech companies are in their journey. For example, in their compliance journey, whether they're going for FDA, whether they're going for EU MDR or they're looking initially to implement a QMS to get the QMS certified. It's the same, hand to hand, if you look with the cyber security, for example. Trevor: Right. Basant: There are challenges. if you, if you look at cybersecurity, if there is no sufficient audit trail and the test and penetration test, if you fail to document, if you have done sufficient cybersecurity testing, whether you go to any regulatory authority, you will be challenged. So, I always recommend to start early whether it's your regulatory journey and if you are software as medical device, look for a capable cybersecurity expert who can actually ensure that what you're doing is, is correct, as well as look for a simple platform that can suffice the need to simply structure your QMS, ensure your traceability and have you audit-ready when you go for your quest audit. Keep things simple. That's my mantra for MedTech founders or early stage companies as well as the companies that is willing to scale from startup. Trevor: Yeah, I think that's a great mantra to have. And even when you were saying, you know, it's so important to start early. It was it was really resonating. I go, wow, you know, this seems like a very parallel problem to cybersecurity. It's something where the downstream effects can be so severe if you're mismanaging your quality system or if you're mismanaging your cybersecurity. Obviously, you know, cyber feels to be a subset of quality. I did once hear that cybersecurity is evidence of quality within your code, within your software. So I do think there's always an intrinsic tie-in between the two. So, I know you've been talking a little bit about an automated QMS. Um, for, you know, a bit of background, what does that mean? How are you integrating AI into your quality system solution and what are you seeing as some of the real benefits that you have there as opposed to a bit more of the, the manual SharePoint and Excel file approach? Basant: I'm glad you asked. Um, so, what we do differently today from the conventional QMS or manual QMS or some say paper-based quality management system. So, we do have AI which enables or help the, the regulatory or quality team to ensure they are more efficient. And how we do it, we have simple trained algorithm that simply draft the documentation, whether it's different processes, work instructions, or different requirement. It checks, it keep you in check with the various requirements, whether it's 820 CFR, whether it's EU MDR requirements, regulations, as well as different other regulatory requirement, including MDSAP. So what we do, we train our algorithm that keep the, keep the regulatory and compliance team in check, if something is non-compliant, it flags it. At the same time what it does, it draft the documentation based on your need, based on the data that you already have provided. If you have not provided the data in the system, it can still suggest some of the documentation specific to your need, if you provide some of the information, what class, what product class you have, the documents, what type of process that you're looking for. So if you provide a bit of information, it can draft, and then human in loop, meaning that you are your quality or regulatory expert can cross-examine, whether accept or reject or update. And we also ensure that the algorithm is sufficiently trained on the clinical evidence need by EU MDR or FDA requirement. So it can flag where you have gap. The regulatory expert actually could fill the gap. So we are not replacing individuals or the expert, but giving them a tool to be more efficient. Trevor: Yeah, I was wondering while you were talking about it, where is this human-in-the-loop intervention? I think that's something that is definitely a risk of AI, especially in such a tightly regulated space such as this, is the chance that an AI can run away and start presenting information that's not going to be accurate or start presenting information that is going to be hard to trace back or trying to essentially fabricate this full process. I always think of the example, if you go to ChatGPT and you tell it, "Do my taxes, make sure I get $100,000 refund," it's going to go jump through whatever fake rabbit holes they can invent to get you that refund. Is it going to be legal? Probably not, but it's going to try. And so I think that's a really important thing to think about is where is that interaction? And it sounds like you have a pretty good system. So the quality system and the AI within it is drafting the documentation, but you still do have a QARA professional who's able to go in, make sure that everything looks good there. One thing I'd be curious to hear about is if this is a situation that comes up, when you're building out some of this content with AI-generated information, we always think that the output's only going to be as good as the input. And so what do you typically see as some of the constraints if you're not giving it enough context to build this out? Is it going to try to just go across generally or is it going to try to drill in for a bit more detail within the device specifically? Basant: So what uh, the option we have today, that we have trained algorithm and we also allow them to invent for you. So you have to choose an opt and it comes with a warning. Like if you choose that it can invent and it can draft and the user, for example, your compliance team needs to look at it, validate the information because yes, there it will be inventive, but then accepting them in your records or in your processes, it's completely up to the quality manager or the compliance person they have in the company. What it will not do if you keep on the conventional, a trained algorithm that is trained on your internal data. So what we always recommend, to not use the AI until you fully establish, implemented your QMS. What does this mean by implementing your QMS is having your records and data that you already have, the basic, and it has a checklist that says you have to have the product information, basic information. So it has already what it needs to provide you more accurate information. We have made the validation based on how much minimum data or information it needs in order to, for example, give you close to accurate output or close to accurate information. So we already have set the bars very high and we have trained the algorithm. So on that basis, what we do is we provide two options. Sometimes the user might feel, get overwhelmed that it's very limited information, then they can jump to another option that we have in our AI that can support to invent a bit and take the information or look the information based on the LLM that we use. But if absolutely there, the compliance individual need to take responsibility and we have a proper training to train the organization and we made the validation accordingly and we communicate that transparently to the user and the compliance team that how they should take this in terms of content. So we have the control there. I've been speaking to multiple regulators, authorities, for example, here in GCC, health authorities here, and they were really surprised because use of AI is bit more flexible in terms of health authorities looking at in UAE. So I was talking with the regulators and say like, "Wow, that's pretty good. I mean, I don't mind this way of accepting records and documents, even if human is not in loop." And I was surprised when I hear that. Of course, that's not something that they explicitly announce on the requirement on the website, but... Trevor: Right. Basant: I just hear that. I know that they will be constrained by the authorities and FDA and nobody look and and someone let's say being careless, document these documents and taking their QMS system or in their record, of course, that could be disastrous for them, but the responsibility here must be taken by the user which we try to communicate and provide this warning in the user guide and detail like, 'Hey, you have to take responsibility. Make sure what you're taking in and make sure that you stay on the, on your internal trained data output because that will not go out, that will not invent something additional. It will just collect the the information that it's fed on from your own record. It just frame it based on the requirement and then it will flag the gap that you have. So you can go through it and just fill the gap that that you have today based on the reference mentioned in EU MDR or FDA guidelines. Trevor: Makes sense. Yeah, that's really interesting to hear about um, the health authorities out there saying, you know, even if we don't have the human in the loop, that is not the reaction you would ever expect. Basant: That was surprising for me. Trevor: Yeah. I think we're going to start seeing AI more on both sides of the fence though. Even looking at, you know, to pick the FDA for an example, that's what we're the most experienced with, that's what we deal with the most day to day. We're based in the US, it's going to make the most sense for us there. But of course we interact with all of these different regulators, but one thing that we do notice with the FDA is just how bogged down they are with submissions. There are only so many people at the FDA, there are only so many people who can go through these reviews, who can go through these audits, and there are a lot more medical device companies out there. And so what I'm starting to see is a trend and what I'm predicting we're going to see more and more is that, you know, the RAQA teams are using AI to help augment their capacity and help become more efficient. Like you said. We aren't trying to do this to replace an individual. We're trying to make that individual work better and work more effectively. But I think we're going to start to see more and more of this coming out through the regulators as well. I know a lot of the regulators have been piloting programs where they'll have a certain AI where they use for assistance, with reviewing of documentation or reviewing of submission material. And so I think we're going to get to this AI arms race within the regulatory space where eventually AI is creating the evidence and AI is reviewing the evidence. So I guess we'll see how things unfold, where the human in the loop is on each side. But yeah, it's interesting to hear. It sounds like the authorities in the UAE are a little bit more towards that direction. They're already gearing up for it. Basant: Absolutely, absolutely. and it's positive and at certain extent for the compliance it could be uh concerning because it must be taken care well because I mean if a medical device manufacturer use such tool and if for example a validation record for example if a medical device or a pen test for example if it go and invent a pen test for example and there was no pen test has been done for for SMD it could be catastrophic and if the authority accepts it as it is then that will be challenging. So of course I am 100% favor that there should be a proper scrutiny, human in loop that is must but coming back to what you said I am seeing more and more notified body, certified body recently when I had the communication I'm seeing that they're already implementing tools like which can actually look at the technical files, missions and actually give you review and when those review is compiled then going there and cross validating what has been found as a gap is actually a gap that reduces a lot of effort from the certified bodies as well including FDA. So I haven't seen that FDA is adapting this now I'm sure they're going to go eventually that path but in Europe multiple certified body notified body already started working to adopt such tool to provide more and more efficiency to their team because the review will take weeks and months to provide feedback and what it takes for some time or a standard time it takes almost a year if you have a software as medical device class 2 A or B, it takes almost a year from nine months to 12 months cycle to have three into three cycle for example for the review. So these tools like this can actually reduce those review cycles and time. But of course with a human in loop and someone taking responsibility that things has been done correctly. That's my take I said, it should not replace human but it should be acting as a or more efficient tool to make human more efficient. Great now. Trevor: Completely agree. Yeah and where I think we'll start to see problems come up with this is when we're trying to look for the traceability and that's always where AI has a little bit of a struggle it can of course generate the process we can generate the artifacts or we can generate the process to try to support this mission but generating the artifacts that are showcasing our compliance and that were showcasing we're doing what we're say we're doing. That's where I think there's going to be a little bit of difficulty. So I love the example about AI hallucinating a penetration test that's completely something I can even imagine happening and then we have this artificial document and, you know, who's to say where that chain of custody stops, we need to actually verify whether or not this happened. I think that it's something as we start to see it be use more and more we're gonna start seeing that more human in the loop part around the traceability around the evidence of compliance since that's, you know, like I said that's where I think that disconnect is going to start happening but I think overall that, you know, it's a clear direction where we're going. It's interesting to see that some of these notified bodies and certified bodies in the in the U are getting a little bit quicker with this. Often times we always see that the the U S seems to be the Wild West with new technology and regulation. It's let let things go wild until something goes wrong and then try to pull back the rains a little bit. We've often seen the inverse is true in Europe so it seems like it's a the tables are a little bit flipped for this specific point. Basant: Yep. Absolutely. Trevor: Well, I know we've had a great conversation and we're coming up on time here. Uh typically Christian's the one to do this but since he's not here, I'll have to fill his shoes instead. So we like to go around the room and collect some last minute insights. What are your key takeaways from this? And so I'll go ahead and start if you were to some this up and say you know what is anyone listening, what do you want anyone listening to take away from this conversation? What would that be? Basant: I think that the takeaways that I see, I mean, we have touched upon few topics, but I think the key takeaways for our audience, if we talk about what the innovators startup should do for early on in terms of their compliance as well as their quality management system implementation. So, I think this this part is key for them to to take into consideration what they must do before they hit the design and development or they think about their compliance journey to get the registration, get the their QMS certified. So that's one part of the takeaway and and if I look at the second aspect we talk about is how the AI can change the the compliance journey of a innovator and how AI in their quality management system can enable their team to be more efficient compared to conventional method at the same time how important it is to early think about the cyber security um part if a innovator going towards you M DR or US FDA or any other global regulation registration certification, the cyber security is the key. So I think early going for the quality management system implementation, using the right way of AI as well as considering early the cyber security journey before it's too late or it become too costly. I think these are the three key takeaway from my perspective. What do you think? Trevor: Yeah, I think you touched up on all the right points there. I want to drill in a little bit more on to the well the AI points since of course, you know, in the security space, paranoia is what we do. Um, but making sure that you're using this safely and effectively. having the human in the loop can't let AI run wild and try to take control over this process. Uh, you know, going back to the famous quote a computer can a computer can never be held accountable. Great, now I forget, you know, possibly Silicon Valley's most famous quote. But the point being, we don't want to let AI take ownership over this process. We want to use it as a tool to assist and guide us throughout this process. And I think as long as we're doing that, it's an incredibly effective and incredibly powerful tool and it's something that we're going to see, you know, RAQA professional, cyber security professional, software engineers, everyone being more effective and useful with their tasks. But I think we just need to understand there still needs to be that human in the loop. It can't be held accountable and so we have to be the ones to be held accountable in its place. Basant: Absolutely, fully agree with that. Trevor: Awesome. Well, this has been a fantastic conversation. Thank you all for tuning into the Med device Cyber Podcast and we'll see you next week. Basant: Thank you, Trevor. Trevor: Yes. I think it's a hard problem being a medical startup. There's so much that you need to cover and I think you touched up on kind of the biggest problem. There's only so much money to do it. You need to figure out who's going to build the product. Are we hiring in house software engineers? who's handling our quality? what do we need to spend on tooling? What do we need to spend on our clinical studies? Oh, wait, we forgot about regulatory in this full process. And I think that's something that we also see in the cybersecurity space is, we've gone through all of these activities, we have this great product, we're getting ready for our submission. And then they bring in a regulatory consultant to make sure that they have everything ready for their submission. Great, you've got your software, great, you got your bio compatibility, you got your usability, you have your clinical study. Where's your cyber security? And they go, "cyber security? What do you mean? Where's our cyber security? We need cyber security." And it's a similar effort. We have to go back and try to retrofit cyber security into an existing product. It's kind of this bolt on approach instead of the secure by design. We're starting with design, starting with cyber security in mind as soon as you have this idea for the product. Trying to scale it up into a truly safe and secure device. Um often times, yeah, we see the same types of tie lines. It can be six months, 12 months of trying to go back and try to retrofit all of this design. A big problem that comes up here especially is when we're making all of these changes to the product, sometimes you need to fundamentally change how the product works to make sure that it works securely. If you've already done all of your validation under this design and you need to go back and make a bunch of changes to a new design and up version everything. All of this validation work needs to be done over in its entirety. And so this is really where we're starting to see a lot of Medtech innovators and Medtech manufacturers have these delays imposed in their system. Um, and again, it is a really hard problem. There are so many different problems to solve. I feel like we have a little bit of a biased view into it since we're each only dealing with one side of the house. We have to look at we just look at cyber security. You're looking at regulatory but going into all of these other activities, reimbursement, commercialization, making sure you're developing the product, raising all your funds, there's so many different problems. It's a it's it's hard to be a Medtech innovator out there. Basant: Absolutely. And I think it's getting more and more challenging because the new requirements coming and more competitors are there. So being in the MedTech, if I think from a MedTech manufacturer perspective, it's really tough spot to be in. But I mean, there is room for, there's a big room, not only room, but there is a big room for those MedTech innovators to grow and place their product in the market and make a strong market presence. Coming back to your point, I have seen in my own experience within the regulatory consulting, the submission that got rejected, got failed because of not taken care well of cyber security part. And I have learned hard way, if you ask me personally, because we are not cyber security, for example, core cyber security experts. So, in that way, in early, we have seen the challenges that how not well taken care cyber security part with your product development. When I talk about software, software as a medical device. If the all the tests, including the pen test, has not been done correctly for the cyber security part, the FDA is very hard on it and they're getting harder and harder on that part. So I fully agree in a line with you on that. Of course, often times, the Mettech innovator miss on that, but the people like you, people like us should actually inform, educate. And I think the best way is to educate and bring the awareness. And of course, using platform like this that we are speaking here and different other activities that you already doing in your organization. I think that is something that what we can do and you guys are doing pretty well to bring that awareness, presenting or bringing that on the table that yes, have that attention before you go to FDA, look at your cyber security. And I'm telling you from my experience, but I'm sure that you had multiple cases that you have harder pushback from FDA because of their cyber security compliance push back from FDA. Trevor: Yeah, it's unfortunately all too common. And exactly like you said, awareness is really the best thing that we can do about it. If a Medtech innovator, I know we're talking about all these problems, but I don't want it to sound like this is an impossible task to do. And if people didn't want to try to solve these problems, we wouldn't have so many of the incredible medical innovations that we see come across the door every day. That's honestly the best part about this job is seeing what amazing technologies people are making and what incredible problems people are solving. But I think just going once you identify that, you know, there's a problem, someone's got to solve it, I want to be that someone. Just understanding what does that journey look like? And what does that path look like? What are the different areas you have to go through? It shouldn't be a black box where you just say, "Well, I want to make a medical device," but you know, hopefully we'll see if this goes well. I think the more information you can have and the more transparency that we as the Medtech community can provide, it's going to make it as easier it's going to make, we're going to see a lot more success stories if we're clear about what the expectations are and what people need to do there. So, and I think we're going in the right direction. We're seeing a lot more awareness coming up about some of these problems. Cyber security specifically, we're seeing a lot of companies coming in earlier saying, hey, we recognize this is a problem and we want to work with someone to help us design this a bit more safely and effectively. So, I think that we're going in a good trajectory there for sure. Basant: Absolutely. Absolutely. Trevor: Well, this has been a fantastic conversation and we're coming up on time here. Uh, typically Christian is the one to do this, but since he's not here, I'll have to fill his shoes instead. So we like to go around the room and collect some last minute insights. What are your key takeaways from this? And so I'll go ahead and start. If you were to sum this up and say what is anyone listening? What do you want anyone listening to take away from this conversation? What would that be? Basant: I think the takeaways that I see, I mean, we have touched upon a few topics, but I think the key takeaways for our audience, if we talk about what the Mtech innovators start up should do for early on in terms of their compliance as well as their quality management system implementation, I think this is key for them to take into consideration what they must do before they hit the design and development or they think about their compliance journey to get the registration, get their QMS certified. So, that's one part of the takeaway. And if I look at the second aspect we talked about is how the AI can change the compliance journey of a Mtech innovator and how AI in their quality management system can enable their team to be more efficient compared to conventional method. At the same time, how important is to early think about the cyber security part. If a innovator going towards EUDR or US FDA or any other global regulation registration certification, the cyber security is the key. So, I think early going for the quality management system implementation, using the right way of AI, as well as considering early the cyber security journey before it's too late or it become too costly. I think these are the three key takeaways from my perspective. What do you think, Trevor? Trevor: Yeah, I think you touched up on all the right points there. I want to drill in a little bit more onto the the AI points since of course, you know, in the security space, paranoia is what we do. But making sure that you're using this safely and effectively, having the human in the loop. We don't want to let AI run wild and try to take control over this process. We want to use it as a tool to assist and guide us throughout this process, and I think as long as we're doing that, it's an incredibly effective and incredibly powerful tool. And it's something that we're going to see, you know, RAQA professionals, cyber security professionals, software engineers, everyone being more effective and useful with their tasks. But I think we just need to understand there still needs to be that human in the loop. It can't be held accountable and so we have to be the ones to be held accountable in its place. Basant: Absolutely, fully agree with that. Trevor: Awesome. Well, this has been a fantastic conversation. Thank you all for tuning into the Med Device Cyber Podcast and we'll see you next week. Basant: Thank you, Trevor.