Episode 32 · February 19, 2026 · 37m listen · 4,044 words · ~20 min read

The Hidden Cybersecurity Risks When Doctors Use AI Diagnostics | Ep. 58 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 32 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of the Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by special guest Jun Xiang Tan, the owner of TuringLabs, who is currently working with a health-tech startup in Singapore. Jun Xiang brings a unique perspective, with a background in military cybersecurity and network forensics before transitioning into the AI and health-tech space. The conversation centers on the burgeoning use of Artificial Intelligence in healthcare and the significant, often overlooked, cybersecurity challenges it presents. The discussion kicks off by highlighting the alarming trend of 'shadow IT' in clinical settings. Christian Espinosa points out that studies show almost 25% of clinicians use unauthorized AI tools like ChatGPT for diagnostic support. Jun Xiang elaborates on this, noting the convenience for doctors to quickly input patient symptoms, text, or even upload X-ray images to get instant feedback. This practice, however, introduces massive data privacy and compliance risks, as sensitive Protected Health Information (PHI) is fed into public models that may use it for future training, essentially creating a major data breach. The podcast then delves into the core vulnerabilities of AI systems themselves. A primary concern raised is data poisoning, a type of adversarial attack where the AI's training data is manipulated. The hosts discuss a case where poisoning just 0.001% of the training data resulted in a 5% increase in incorrect outputs. In a healthcare context, such inaccuracies could lead to misdiagnoses and severe patient harm, underscoring the 'garbage in, garbage out' principle. The conversation also scrutinizes the quality of AI-generated code. Citing recent statistics, Christian notes that nearly 50% of code written by AI introduces new security vulnerabilities, such as cross-site scripting. This is largely because AI models are trained on vast repositories of public, open-source code from platforms like Stack Overflow, much of which is outdated, insecure, or written by inexperienced developers. The AI, therefore, learns and replicates these poor security practices, creating bloated and vulnerable codebases that require significant manual effort to clean up and secure. The episode contrasts the rapid, often unregulated development of commercial AI with the stringent, safety-critical standards of the medical device industry, such as IEC 62304. This standard dictates a rigorous, safe development lifecycle that current AI tools cannot replicate. The hosts and guest conclude that while AI offers powerful capabilities as a support tool—a 'pair programmer' or a clinical decision support system—it cannot be trusted to operate autonomously. The risk of hallucinations, biases, and security flaws necessitates constant human oversight. The ultimate message is to guide the AI, not let it guide you, by providing it with clear requirements and verifying its output, ensuring that patient safety remains the paramount concern.

Key takeaways from this episode

A significant number of clinicians (almost 25%) are using unauthorized AI tools like ChatGPT for diagnostic help, creating major privacy and compliance risks by uploading sensitive patient data.
AI models are vulnerable to 'data poisoning,' where a minuscule amount of corrupted training data can lead to a disproportionately high rate of incorrect and potentially harmful outputs.
Nearly 50% of AI-generated code introduces security vulnerabilities like cross-site scripting because the models are often trained on insecure, outdated, or low-quality public code.
The convenience of AI is a primary driver of its adoption in healthcare, but it can lead to unintentional data breaches and HIPAA violations when PHI is entered into public systems.
Medical software development is governed by strict safety standards like IEC 62304, which emphasizes a controlled and secure lifecycle that contrasts with the rapid, less-regulated nature of commercial AI development.
The 'garbage in, garbage out' principle is critical for AI in healthcare; models trained on unreliable or biased data will produce flawed results with potentially severe consequences for patient safety.
AI should be treated as a guided tool or a 'pair programmer,' not an autonomous decision-maker. Human oversight is essential to define requirements, verify outputs, and mitigate inherent risks.

Full episode transcript

A lot of physicians or clinicians, almost 25% are using AI in an unauthorized manner without any real controls around that. It is so convenient to just take up your phone while you are going around rounds in a hospital or even as a general practitioner in the clinic. To take out ChatGPT, just type in a few phrases, to either diagnose the patient using text or even you have an X-ray imagery, you just send it to ChatGPT and ask it to spot any anomalies. .001% of training data resulted in a 5% increase in wrong outputs. If you're training your AI on bad data, it's going to give you bad output every single time. Almost 50% of AI generated code introduces vulnerabilities such as cross-site scripting. In the medical space IEC 62304 dictates the way that medical software needs to be developed in a safe fashion. Is this becoming a bigger problem than we think? Hello and welcome back to the Med Device Cyber Podcast. We have here your usual co-hosts, Trevor Slattery and Christian Espinosa. And then we have a very special guest coming in from Singapore as well. Today we're going to be talking about some really exciting things with code security as well as how AI has helped it and in some ways how it's hurt it. And what we can do to make sure that we're developing safer code within the medical space. I want to start by turning it over to you, Jun, to do a little bit of an intro and some background on yourself and then we can go ahead and jump right in. Yeah. Uh very good morning to Christian and Trevor. So, thank you for having me on the podcast. Uh so a bit of background of myself. I was actually not from the health and med tech space. I started off with the military, spent four years there, did network forensics or cybersecurity space. Decided I uh wanted to do something new, so I went out, I did prototyping uh AI systems in a software agency that I run on my own. And now I'm currently with a health tech startup, Caregiver, which uh helps doctors make more informed decisions on their patients' data using AI. Isn't it mandatory in Singapore to join the military for a while? Oh yes, definitely. Yeah, we have to serve two years. Usually that it's before our university. I would spend two years before, yeah, we go to spend the four years on our university. I think they need to make it mandatory in the United States. It would probably solve a lot of our problems with our younger generations, I think. Is there a manpower uh gap in the US or usually I I do see a lot of people joining the military. There's no gap of manpower in the US, but there is a Christian's alluding to the gap in a gap in a few other areas about the US. Ah, okay, got it. Discipline, hard work, ownership. Yeah, just a few. Yes, the military does train you up on that. I learned quite a bit uh makes you, I mean, the first two weeks we would uh how they do it is the first two weeks you just stay in camp throughout. That's kind of like the first touch point for many young people where they leave their families for a two weeks, yeah before they return home uh once every week on the weekends. Yeah, I was part of the military in the United States. Trevor wasn't part of the military, but his parents kind of threw him out in the jungle and made him track for himself I think, right? Yeah, I got the, I got to grow up in Central America out in Belize and so it was a very fun, very interesting environment compared to the typical US upbringing. Oh, that's interesting. How long were you, did you have to stay out for or were you by yourself or? Yeah, they, um, I remember I was probably 12 years old and my dad got me this big pole spear and he was like, "Okay, go out and go hunt fish and lobster." And I was just like, "Awesome. See you in five years." And then became obsessed with spearfishing from there and so it was a, it was a fun, fun time for sure. Awesome. So let's uh get into AI a little bit because I know one of your specialties uh Jun is uh AI. And before we were hit record, we were talking about some of the challenges with AI, and some of the emerging AI threats to healthcare. I think our audience would find some of those interesting. I think one of the things you brought up is that a lot of physicians or clinicians, almost 25% are using AI in an unauthorized manner without any real controls around that. Maybe could you elaborate a little bit on that?

1 / 5