Episode 23 · June 3, 2025 · 41m listen · 1,602 words · ~8 min read
AI in Medical Devices: Opportunities & Regulation with Matt Lemay | Ep. 22 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 23 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
This episode of The Med Device Cyber Podcast features Matt Lemay, CEO of Lemay.ai, discussing the critical intersection of AI in medical devices and regulatory compliance. The conversation delves into the challenges and opportunities for MedTech manufacturers in adopting AI, emphasizing the often-overlooked aspects of data governance, security, and long-term viability. A key focus is placed on ISO 42001, highlighting its emergence as a certifiable standard for AI management systems and its potential to integrate with existing medical device oversight frameworks. Lemay stresses the importance of considering the intended purpose of AI in medical devices, as it directly impacts certification needs and regulatory strategies. The discussion also covers significant cybersecurity risks, such as improper training data, data sovereignty issues, and the lack of robust version control for cloud-based AI models. The episode further explores the complex question of liability when AI is involved in diagnostic or treatment decisions, drawing parallels with professional engineering certifications and accountability structures. This podcast is a must-listen for product security teams, regulatory leads, and engineers navigating the evolving landscape of AI in medical devices, offering practical insights into secure AI development and deployment.
Key takeaways from this episode
ISO 42001 is emerging as a certifiable standard for Artificial Intelligence management systems, offering a new pathway for external verification of AI used in medical devices.
The purpose of Artificial Intelligence within a medical device significantly influences the necessary certification and regulatory strategy, distinguishing between exploratory data science and diagnostic decision-making.
Critical cybersecurity risks for Artificial Intelligence in medical devices include improper training data, data sovereignty concerns, and the lack of robust version control for cloud-based models that can lead to performance degradation.
Establishing clear liability for Artificial Intelligence-driven medical decisions is complex, necessitating frameworks akin to professional engineering certifications where an individual is accountable for the design and deployment of intelligent agents.
When designing Artificial Intelligence for medical devices, it is crucial to consider the deployment environment from the outset, including whether the AI will run on a wearable, smartphone, or in the cloud, to ensure performance and address latency and connectivity challenges.
To ensure long-term viability and maintain performance, complex Artificial Intelligence models can be converted into simpler math-based representations like polynomials, significantly reducing computational requirements and making them suitable for low-power microcontrollers.
Full episode transcript
Page 1 of 2· Paragraphs 1 - 15
Hello and welcome back to another episode of the Med Device Cyber Podcast. Today we're going to talk about artificial intelligence in medical devices as well as AI in regulated industries. We have a special guest on today, Matt Lemay, who is the CEO of Lemay.ai. How are you doing today, Matt?
I'm good. Thanks for having me. It's going to be a good conversation. Looking forward to it.
Yeah, a little bit of context. Melissa and I met Matt on the cultural tour, I believe it was at MedTech World Dubai. Then Matt gave me this awesome book here, The 50 Inventions That Shaped the Modern Economy. I haven't started reading it yet. I just got it a couple days ago, but I've kind of thumbed through it. It looks pretty awesome.
Absolutely. So, Christian and I were in the lobby of the Intercontinental at Festival City, and you just see a group of people that are all CEOs and co-founders and engineers in medical devices. Everyone's in shorts and flip-flops and polos going on a tour. It was great conversations all around. I'm definitely looking forward to the next MedTech World event.
Yeah, for sure. So you want to give us a little context about what you do, Matt, what your organization does, and spend a little bit on MedTech since we're focused on MedTech?
Absolutely. Well, I think MedTech definitely shaped the entire growth of our organization. So my team, Lemay.ai, we're a team of 30 people, about 85% engineers that specialize in helping clients on their AI adoption journey, specifically in regulated industries including MedTech. We do this by delivering tailored AI solutions at whatever stage you're at.
So if you need strategic guidance on which projects you should implement, if you need some core implementation support, if you need some scale-up or even now regulatory approval as AI is becoming more and more relevant in each one of these regulated industries, we have a framework for helping clients along this journey.
Specifically about myself, I actually came from a medical device startup where we implemented ISO 13485 from scratch, where I met my now co-founder, Daniel. We did a lot of work back in the day, not just in systematizing our design and development processes to be able to achieve CE mark, FDA approval processes, Health Canada approval.
Each one of those compliance mechanisms requiring a certain amount of oversight, and that's what helps shape how we actually do AI. So part of what we do now and how we do it is heavily influenced by engineering principles that are required to comply with a lot of these emerging standards.
So when would an organization, like say a MedTech manufacturer, when would they want to engage with you if they're going to do, let's say, image enhancement using AI on software as a medical device?
That's a fantastic question. There's a lot of ways of approaching it, and the simple answer is somewhere between not yet and five years ago. So, at the not yet level, what we're seeing in the regulatory changes in the landscape is a lot of people have been pushing for various governance frameworks on how to do safe AI.
The thing with a lot of these governance frameworks is that they're hard to audit and they're hard to verify and therefore hard to include in a lot of these medical device oversight frameworks and audit processes. What we're seeing right now is that there's actually a lot of work happening under one particular standard, ISO 42001, which specifically prescribes how to manage your AI systems.
So 42001 is being called AI management systems. What we find very, very interesting with that standard is that it is certifiable. So for the first time, you can have an AI included in your medical devices that is able to be verified by an external third-party.
When it comes to image recognition, what you also have to keep in mind is what is the purpose of this image recognition, which will immediately impact the strategy that you want to pursue and whether or not a team like ours actually makes sense. So if you say, I want to do exploratory data science and I want to look at the pictures of dermatology, X-ray, I want to look at cells at the microscopic level to understand how they're moving, how they're understanding, and your intent at that level is much more investigative. It's much more open-ended, then you really don't need a lot of certification.
You can actually engage in that direction as long as you are in respect with GDPR and a lot of these data protection mechanisms, you're going to be fine. Where you have to tread a bit more carefully is when you start making diagnostic calls or when you start having a lot of decisions being automated through the information that you see.